Splunk Search

help to build the query using abstract command

logloganathan
Motivator

base query | regex field= "XXX*(?.*)" | stats count by regular_expression_value

this query displaying 5 lines but want only the first lines

how to get using abstract maxlines=1

Tags (1)
0 Karma
1 Solution

niketn
Legend

@logloganathan, based on your description so far seems like you want your regular expression to return result only from first line of an event. The .* Regular Expression by default stops at a line break which should do it. You are focused on abstract and rex command however, even if feasible that might not be right way at all. We would not be able assist you properly unless you provide further detail of what regular expression you have used and provide some mocked up anonymized data.

What do you mean by regular expression..it having 5 lines value? It can either be raw event with data across 5 lines or Regular Expression based extraction that fetches 5 lines instead of 1.

Whether it is _raw event with 5 lines or Regular Expression fetching 5 lines, you can adjust your Regular Expression to fetch only the first line (which would be ideal way).

Although I have taken an example for Splunk's _internal log which is always 1 line but you can try with your base search instead along with your own regex:

index=_internal sourcetype=splunkd
| abstract maxlines=1
| rex "^([^\s]+)\s([^\s]+)\s([^\s]+)\s(?<logLevel>[^\s]+)\s"
| table logLevel _raw
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@logloganathan, based on your description so far seems like you want your regular expression to return result only from first line of an event. The .* Regular Expression by default stops at a line break which should do it. You are focused on abstract and rex command however, even if feasible that might not be right way at all. We would not be able assist you properly unless you provide further detail of what regular expression you have used and provide some mocked up anonymized data.

What do you mean by regular expression..it having 5 lines value? It can either be raw event with data across 5 lines or Regular Expression based extraction that fetches 5 lines instead of 1.

Whether it is _raw event with 5 lines or Regular Expression fetching 5 lines, you can adjust your Regular Expression to fetch only the first line (which would be ideal way).

Although I have taken an example for Splunk's _internal log which is always 1 line but you can try with your base search instead along with your own regex:

index=_internal sourcetype=splunkd
| abstract maxlines=1
| rex "^([^\s]+)\s([^\s]+)\s([^\s]+)\s(?<logLevel>[^\s]+)\s"
| table logLevel _raw
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

logloganathan
Motivator

This is one i need. Thanks for your help!!
very helpful Nikenilay!! Thanks Again

0 Karma

niketn
Legend

@logloganathan, I am glad it worked. However, like I said, you should ideally be able to handle directly in rex command without having to use abstract command which is working for you but is actually just an overhead.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

p_gurav
Champion

Can you try :

base query | regex field= "XXX*(?.{10}).*\n" OR  base query | regex field= "XXX*(?[^\n\r]+)"
0 Karma

logloganathan
Motivator

is it possible to do the same with abstract command?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try

base query | regex field= "XXX*(?.*)" | stats count by regular_expression_value | head 1
---
If this reply helps you, Karma would be appreciated.
0 Karma

logloganathan
Motivator

it wont work..it provide table with one result

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Isn't that what you asked for? ("want only the first lines") If you want more than one line, change the "1" to the desired number.

If it's something else you seek, please clarify the question.

---
If this reply helps you, Karma would be appreciated.
0 Karma

logloganathan
Motivator

Actually i have regular expression and displaying the value
that value have 5 lines. i want to reduce that using the abstract command
how to do that

base query | regex field= "XXX*(?.*)" | stats count by regular_expression_value

regular_expression_value count
5 lines 4
3 lines 8

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The abstract command is for text, not stats.

---
If this reply helps you, Karma would be appreciated.
0 Karma

logloganathan
Motivator

Could you please modify the same command without stats and substitute abstract

0 Karma

richgalloway
SplunkTrust
SplunkTrust

base query | regex field= "XXX*(?.*)" | abstract maxlines=1

---
If this reply helps you, Karma would be appreciated.
0 Karma

logloganathan
Motivator

what will it do?
it not providing the answer i expected

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What answer are you expecting? What exactly are you trying to do? You insist on using abstract, but perhaps that is not the way to accomplish your goal.

---
If this reply helps you, Karma would be appreciated.
0 Karma

logloganathan
Motivator

Hi,

actually i have regular expression..it having 5 lines value.
i want one line using abstract.
is it possible to do?
Could you please help me in this request.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's still not clear to me what your goal is. You've re-stated the original request and not added any clarification. I've done all I can do with what you've provided so far.

---
If this reply helps you, Karma would be appreciated.
0 Karma

logloganathan
Motivator

Thanks for your help
i think we can't combine abstract command and regex.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...