Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Serching Development Log Files

sjjohns
New Member
‎05-28-2012 05:56 AM

So I am brand new to Splunk. I just finished setting up a Ubuntu server for indexing and have got all my forwarders working just fine. When it came to indexing a log file from a development test I get stuck on how to search for what I want. For example the log files look something like this:

Test1: Total: 3 Succeeded: 3 Failed: 0

Test2: Total: 5 Succeeded: 4 Failed: 1

Test3: Total: 3 Succeeded: 3 Failed: 0

I would like to be able to know how many time the whole deployment test succeeded. If it failed which test it failed on, and graph the results. I have had difficulties trying to get the numbers after Total, Succeeded, and Failed in to integers I have tried tonumber and I think it has worked. But after that I am not sure how to get it to reference the Test number it goes with

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎05-28-2012 06:17 PM

Here is a search time field extraction using the rex command.You could also declare this in props.conf using EXTRACT.

Test1: Total: 3 Succeeded: 3 Failed: 0
Test2: Total: 5 Succeeded: 4 Failed: 1
Test3: Total: 3 Succeeded: 3 Failed: 0

... | rex field=_raw "(?<test_id>\w+):\s\w+:\s(?<total_count>\d+)\s\w+:\s(?<success_count>\d+)\s\w+:\s(?<fail_count>\d+)"

Then, with the fields extracted, there are many different potential searches , here are a couple to get you started.

"how many time the whole deployment test succeeded"

... | stats sum(total_count) as "Total Tests"  sum(success_count) as "Succeeded"  sum(fail_count) as "Failed"

"If it failed which test it failed on"

...| where fail_count > 0 | stats sum(fail_count) as "Failed Tests" by test_id

View solution in original post

Reply
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎05-28-2012 06:17 PM

Here is a search time field extraction using the rex command.You could also declare this in props.conf using EXTRACT.

Test1: Total: 3 Succeeded: 3 Failed: 0
Test2: Total: 5 Succeeded: 4 Failed: 1
Test3: Total: 3 Succeeded: 3 Failed: 0

... | rex field=_raw "(?<test_id>\w+):\s\w+:\s(?<total_count>\d+)\s\w+:\s(?<success_count>\d+)\s\w+:\s(?<fail_count>\d+)"

Then, with the fields extracted, there are many different potential searches , here are a couple to get you started.

"how many time the whole deployment test succeeded"

... | stats sum(total_count) as "Total Tests"  sum(success_count) as "Succeeded"  sum(fail_count) as "Failed"

"If it failed which test it failed on"

...| where fail_count > 0 | stats sum(fail_count) as "Failed Tests" by test_id
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...