Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I not receiving results when a value contains a with period and underscore?

saikamaldidigam
New Member
‎02-06-2017 09:21 AM

I would like to show results group by "SLA Request Key". I am able to view sample Data-2 but not Sample Data-1

Sample Data-1:
{"key":"SLA Request Key","value":"mls.ILSP_CONTNR_SKU_INSERT"}]}

Sample Data-2:
{"key":"SLA Request Key","value":"GetPickGroupsByBinLocation"}]}

index = xyz "Database Call Exceeded SLA" | rex field=_raw "SLA Request Key\",\"value\":\"(?\\w+)\"}]}" | stats count by slaKey

when i run this search, i am only getting the results for Sample Data-2(GetPickGroupsByBinLocation) not "mls.ILSP_CONTNR_SKU_INSERT" this. I assume this is not parsing stats count by when value is combined with Dot and Underscore

Can any one please help me?

Thanks in Advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-06-2017 09:39 AM

Your regex string is only looking for word characters (letters, numbers, and underscores) so periods don't match. Try 

... | rex "SLA Request Key\",\"value\":\"(?<field>[\.\w]+)\"}]}" | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎02-06-2017 10:28 AM

Since you are having json, why don't you use spath in your search? I would suggest put the extraction in the props.conf. Any how answering your question, try...

 your base search   | spath | stats c by key

Sample search ..

|stats c | eval _raw="{\"key\":\"SLA Request Key\",\"value\":\"mls.ILSP_CONTNR_SKU_INSERT\"}]}" | append [|stats c | eval _raw="{\"key\":\"SLA Request Key\",\"value\":\"GetPickGroupsByBinLocation\"}]}" ] | spath | stats c by key
V
0 Karma
Reply
Solved! Jump to solution

saikamaldidigam
New Member
‎02-06-2017 02:10 PM

Thank you so much for your reply.

But your solution is not the one exactly which i am looking for.

Though this will be incredibly useful for me in future.

Thanks again for your valuable response.

0 Karma
Reply
Solved! Jump to solution

saikamaldidigam
New Member
‎02-06-2017 02:16 PM

If you can give me solution for your reply

"your base search | spath | stats c by key"

There are many keys in my raw data i was looking for key "SLA Request Key" and i want to exclude remaining keys and i want stats count by key
something like this

"my Base search ""SLA Request Key"" | spath | stats c by key -remove key2, key3 .........keyn"

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-06-2017 09:39 AM

Your regex string is only looking for word characters (letters, numbers, and underscores) so periods don't match. Try 

... | rex "SLA Request Key\",\"value\":\"(?<field>[\.\w]+)\"}]}" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

saikamaldidigam
New Member
‎02-06-2017 02:09 PM

Thank you so much it worked for me !

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...