Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

field extraction based onmore than one static strings and find out count

jyothishtj
New Member
‎09-23-2015 02:21 AM

Hi,

I am new to Splunk. I am trying to create a splunk query to find out the count of occurrence for a specific set of messages in a log file.

E.g, there are 7 messages "message1" "Message2" "Message3".... Message7. I need to create a table in the below format.

Message Count

message1 2
Message2 0
message3 0
message4 1
.....
.....
message7 4

Also, I want to create a dropdown with the 7 message values. When I select a message I need to get the entry for that message. An all option in the dropdown to get all message counts.

Can we use regex for this purpose? or any other suggestions to achieve this. The messages will be appearing in different part of the event. I want to avoid repeated "messages" in the same event
Please help in this.

Thanks in advance,
Jyo

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎09-23-2015 07:54 AM

Like this:

... | rex max_match=0 "(?<message>(?:first message string)|(?:second message string)|(?:third message string)|(?:fourth message string)|(?:fifth message string)|(?:sixth message string)|(?:seventh message string))" | stats count by message

Tack on | fields - count to get just the list of messages.

0 Karma
Reply

badrinath_itrs
Communicator
‎09-23-2015 04:29 AM

Hi,

You should use your query as ....(your search condition ) | stats count by (message field name) to get the count .

To create a drop down in your dashboard you should use the dynamic option to populate the drop down values and use a static for " all" options and select its value as "*". You can write your search as ....(your search condition ) | dedup (message field name) | field (message field name ) . You can take a look into the below documentation for more detail .

http://docs.splunk.com/Documentation/Splunk/latest/Viz/Buildandeditforms

Use tokens in dashboard panel drop down and control your search using the token.

Hope it helps.

Thanks

0 Karma
Reply

jyothishtj
New Member
‎09-23-2015 04:32 AM

The problem is the message is not part of any field. It is part of the event and can be present in any part of the event.

0 Karma
Reply

badrinath_itrs
Communicator
‎09-23-2015 04:44 AM

Does your event contains the same data . Also if possible can you paste your sample data here . Try to extract the required fields which will help here.

0 Karma
Reply

benlc
Path Finder
‎09-23-2015 04:02 AM

Hi Jo

For the field definition regex would be suggested. You can test your regex with | rex field=_raw "yourregex" | count by messages.
If you name your field messages and then you get your table above. For help with your regex we would need an output of the log.

The dropdown will be the next step after prober setting the regex in the probs.conf as field extraction.

Bye
Ben

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...