Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I not receiving results when a value contains a with period and underscore?

saikamaldidigam
New Member
‎02-06-2017 09:21 AM

I would like to show results group by "SLA Request Key". I am able to view sample Data-2 but not Sample Data-1

Sample Data-1:
{"key":"SLA Request Key","value":"mls.ILSP_CONTNR_SKU_INSERT"}]}

Sample Data-2:
{"key":"SLA Request Key","value":"GetPickGroupsByBinLocation"}]}

index = xyz "Database Call Exceeded SLA" | rex field=_raw "SLA Request Key\",\"value\":\"(?\\w+)\"}]}" | stats count by slaKey

when i run this search, i am only getting the results for Sample Data-2(GetPickGroupsByBinLocation) not "mls.ILSP_CONTNR_SKU_INSERT" this. I assume this is not parsing stats count by when value is combined with Dot and Underscore

Can any one please help me?

Thanks in Advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-06-2017 09:39 AM

Your regex string is only looking for word characters (letters, numbers, and underscores) so periods don't match. Try 

... | rex "SLA Request Key\",\"value\":\"(?<field>[\.\w]+)\"}]}" | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎02-06-2017 10:28 AM

Since you are having json, why don't you use spath in your search? I would suggest put the extraction in the props.conf. Any how answering your question, try...

 your base search   | spath | stats c by key

Sample search ..

|stats c | eval _raw="{\"key\":\"SLA Request Key\",\"value\":\"mls.ILSP_CONTNR_SKU_INSERT\"}]}" | append [|stats c | eval _raw="{\"key\":\"SLA Request Key\",\"value\":\"GetPickGroupsByBinLocation\"}]}" ] | spath | stats c by key
V
0 Karma
Reply
Solved! Jump to solution

saikamaldidigam
New Member
‎02-06-2017 02:10 PM

Thank you so much for your reply.

But your solution is not the one exactly which i am looking for.

Though this will be incredibly useful for me in future.

Thanks again for your valuable response.

0 Karma
Reply
Solved! Jump to solution

saikamaldidigam
New Member
‎02-06-2017 02:16 PM

If you can give me solution for your reply

"your base search | spath | stats c by key"

There are many keys in my raw data i was looking for key "SLA Request Key" and i want to exclude remaining keys and i want stats count by key
something like this

"my Base search ""SLA Request Key"" | spath | stats c by key -remove key2, key3 .........keyn"

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-06-2017 09:39 AM

Your regex string is only looking for word characters (letters, numbers, and underscores) so periods don't match. Try 

... | rex "SLA Request Key\",\"value\":\"(?<field>[\.\w]+)\"}]}" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

saikamaldidigam
New Member
‎02-06-2017 02:09 PM

Thank you so much it worked for me !

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...