Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- get substring from long raw string
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys, i am newbie in Splunk and i have the following indexed line:
Mar 21 20:12:14 HOST program name: 2013-03-21 20:12:14,424 | INFO | Event 'x.y|z.k|asdfvgh|sdfklsd|sdfsdtrwe|asafhwej|qoqwpeirw|' is not allowed. | sdfsdfsdfsd | sdfsdfwerwe thread #8 - Jfsdfsdfssd]
How can I do this:
- get only x.y|z.k|asdfvgh|sdfklsd|sdfsdtrwe|asafhwej|qoqwpeirw
- put the string x.y|.z.k... in new field (a =x.y|...)
- Remove duplicate values
- count all distinct strings
- generate chart or timechart or an hitmap with number of distinct strings
Thanhs for all your suport
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
yoursearchhere
| rex "Event \'(?<messageString>.*?)\' is not allowed."
| stats count by messageString
or
yoursearchhere
| rex "Event \'(?<messageString>.*?)\' is not allowed."
| timechart distinct_count(messageString)
Replace "yoursearchhere" with whatever makes sense; that might mean something like sourcetype=xyz
Did you need to restrict the search only to events that actually contain a messageString?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks Iguinn!
Yes, I need to restrict only to events that contain a messageString but for now your hint works fine!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
yoursearchhere
| rex "Event \'(?<messageString>.*?)\' is not allowed."
| stats count by messageString
or
yoursearchhere
| rex "Event \'(?<messageString>.*?)\' is not allowed."
| timechart distinct_count(messageString)
Replace "yoursearchhere" with whatever makes sense; that might mean something like sourcetype=xyz
Did you need to restrict the search only to events that actually contain a messageString?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
