Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to get fields with rex?

frnSpLrnr11
Engager
‎11-07-2022 07:36 AM

Hello,

 

I have this search results:

 

 

 

Error for user flow: AAAAA - user: BBBB - Msg: {\"_errorCode\":Z, \"_message\": \"Example Error Message\"}

 

 

 

I'm trying to get the number of each each _errorCode for each user flow.

I started with 

 

 

index="example_index" source="example_source" sourcetype="example_st" Error for | rex field=_raw "user flow: (?<user_flow>\w+)" | stats count as ErrorCount by user_flow

 

 

 

I was able to get the number of error occurrences under each user flow. I wanted to expand this query to be more granular and include the error code so I would have:

UserFlow ErrorCode Error Count
AAAA X 5
AAAA Y 7
BBBB F 1
BBBB G 2

 

This is the query I came up with but the statistics tab are no longer showing anything

 

 

index="example_index" source="example_source" sourcetype="example_st" Error for | rex field=_raw "user flow: (?<user_flow>\w+)" | rex field=_raw "_errorCode:\\\":(?<error_code>\d+)" |stats count as ErrorCount by user_flow, error_code

 

 

I see the events tab are still populated with search results  but it looks like my addition to the query is not quite correct.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 07:50 AM

Hi @frnSpLrnr11,

please try this, where the first row is only for the sample:

| makeresults | eval _raw="Error for user flow: AAAAA - user: BBBB - Msg: {\"_errorCode\":Z, \"_message\": \"Example Error Message\"}"
| rex field=_raw "user flow: (?<user_flow>\w+)"
| rex field=_raw "_errorCode\\\":(?<error_code>[^,]+)"
| stats values(error_code) AS error_code count BY user_flow

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 07:50 AM

Hi @frnSpLrnr11,

please try this, where the first row is only for the sample:

| makeresults | eval _raw="Error for user flow: AAAAA - user: BBBB - Msg: {\"_errorCode\":Z, \"_message\": \"Example Error Message\"}"
| rex field=_raw "user flow: (?<user_flow>\w+)"
| rex field=_raw "_errorCode\\\":(?<error_code>[^,]+)"
| stats values(error_code) AS error_code count BY user_flow

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-08-2022 11:40 PM

Hi @frnSpLrnr11,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...