Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Stats by custom string

dv2323
Explorer
‎07-10-2020 07:19 AM

I'd like to display stats based on a custom string within a log entry.  Below is sample of the log entry.  I'd like to parse the unique entries seen after "The following DAP records were selected for this connection:" string.  If possible use the stats by .... method so it displays a unique entry with the amount of times it's been seen.   So in the case of the 2 entries below, the stats would have TEST_AUTOMATION_VENDOR, and TEST2_AUTOMATION_VENDOR with a count next to it. I can do this for VPN users quite easily, but can't figure out how to do it for unique results of a string.   I only know the basics of splunk search syntax so hopefully I'm explaining this clearly.

 

%ASA-dap-6-734001: DAP: User TESTUSER, Addr 10.10.10.10, Connection AnyConnect: The following DAP records were selected for this connection: TEST_AUTOMATION_VENDOR

%ASA-dap-6-734001: DAP: User TESTUSER2, Addr 12.12.12.12, Connection AnyConnect: The following DAP records were selected for this connection: TEST2_AUTOMATION_VENDOR

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎07-10-2020 08:40 AM

Sorry yes, you could use a variety of different regexs depending on what the rest of your data looks like - I missed the numerical digits..

index=your_index sourcetype=your_sourcetype 
| rex field=_raw "The following DAP records were selected for this connection: (?<dap_record>[a-zA-Z0-9_]+)
| stats count by dap_record

Let me know how you get on! Fingers crossed!

Will

View solution in original post

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎07-10-2020 07:59 AM

Hi @dv2323 You can use the rex command to extract the DAP record and then use stats, something like this:

index=your_index sourcetype=your_sourcetype 
| rex field=_raw "The following DAP records were selected for this connection: (?<dap_record>[A-Z_]+)"
| stats count by dap_record

I hope this helps!  

Reply
Solved! Jump to solution

dv2323
Explorer
‎07-10-2020 08:07 AM

Thank you that is very close to what I'm looking for!  It's working, however it's only giving me partial names, and single Letter results.  I'm thinking maybe the regex piece of [A-Z_]+ needs to be adjusted to include an entire dap record?

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎07-10-2020 08:40 AM

Sorry yes, you could use a variety of different regexs depending on what the rest of your data looks like - I missed the numerical digits..

index=your_index sourcetype=your_sourcetype 
| rex field=_raw "The following DAP records were selected for this connection: (?<dap_record>[a-zA-Z0-9_]+)
| stats count by dap_record

Let me know how you get on! Fingers crossed!

Will

0 Karma
Reply
Solved! Jump to solution

dv2323
Explorer
‎07-10-2020 09:13 AM

This works well.  Gives me just the full DAP name, and count.  Thank you.

0 Karma
Reply
Solved! Jump to solution

rbar16
Explorer
‎07-10-2020 08:36 AM

@dv2323 Replace [A-Z_]+ with ".+" or ".*". You can also add an anchor "$" for end of line after the cap group if desired.

(?<dap_record>.+)$

Reply
Solved! Jump to solution

dv2323
Explorer
‎07-10-2020 09:13 AM

This works well.  Thank you.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...