Solved: help to build the query using abstract command

logloganathan · ‎03-21-2018

base query | regex field= "XXX*(?.*)" | stats count by regular_expression_value

this query displaying 5 lines but want only the first lines

how to get using abstract maxlines=1

niketn · ‎03-28-2018

@logloganathan, based on your description so far seems like you want your regular expression to return result only from first line of an event. The .* Regular Expression by default stops at a line break which should do it. You are focused on abstract and rex command however, even if feasible that might not be right way at all. We would not be able assist you properly unless you provide further detail of what regular expression you have used and provide some mocked up anonymized data.

What do you mean by regular expression..it having 5 lines value? It can either be raw event with data across 5 lines or Regular Expression based extraction that fetches 5 lines instead of 1.

Whether it is _raw event with 5 lines or Regular Expression fetching 5 lines, you can adjust your Regular Expression to fetch only the first line (which would be ideal way).

Although I have taken an example for Splunk's _internal log which is always 1 line but you can try with your base search instead along with your own regex:

index=_internal sourcetype=splunkd
| abstract maxlines=1
| rex "^([^\s]+)\s([^\s]+)\s([^\s]+)\s(?<logLevel>[^\s]+)\s"
| table logLevel _raw

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎03-28-2018

@logloganathan, based on your description so far seems like you want your regular expression to return result only from first line of an event. The .* Regular Expression by default stops at a line break which should do it. You are focused on abstract and rex command however, even if feasible that might not be right way at all. We would not be able assist you properly unless you provide further detail of what regular expression you have used and provide some mocked up anonymized data.

What do you mean by regular expression..it having 5 lines value? It can either be raw event with data across 5 lines or Regular Expression based extraction that fetches 5 lines instead of 1.

Whether it is _raw event with 5 lines or Regular Expression fetching 5 lines, you can adjust your Regular Expression to fetch only the first line (which would be ideal way).

Although I have taken an example for Splunk's _internal log which is always 1 line but you can try with your base search instead along with your own regex:

index=_internal sourcetype=splunkd
| abstract maxlines=1
| rex "^([^\s]+)\s([^\s]+)\s([^\s]+)\s(?<logLevel>[^\s]+)\s"
| table logLevel _raw

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

logloganathan · ‎03-29-2018

This is one i need. Thanks for your help!!
very helpful Nikenilay!! Thanks Again

niketn · ‎03-29-2018

@logloganathan, I am glad it worked. However, like I said, you should ideally be able to handle directly in rex command without having to use abstract command which is working for you but is actually just an overhead.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

p_gurav · ‎03-27-2018

Can you try :

base query | regex field= "XXX*(?.{10}).*\n" OR  base query | regex field= "XXX*(?[^\n\r]+)"

logloganathan · ‎03-27-2018

is it possible to do the same with abstract command?

richgalloway · ‎03-21-2018

Try

base query | regex field= "XXX*(?.*)" | stats count by regular_expression_value | head 1

---
If this reply helps you, Karma would be appreciated.

logloganathan · ‎03-21-2018

it wont work..it provide table with one result

richgalloway · ‎03-21-2018

Isn't that what you asked for? ("want only the first lines") If you want more than one line, change the "1" to the desired number.

If it's something else you seek, please clarify the question.

---
If this reply helps you, Karma would be appreciated.

logloganathan · ‎03-22-2018

Actually i have regular expression and displaying the value
that value have 5 lines. i want to reduce that using the abstract command
how to do that

base query | regex field= "XXX*(?.*)" | stats count by regular_expression_value

regular_expression_value count
5 lines 4
3 lines 8

richgalloway · ‎03-22-2018

The abstract command is for text, not stats.

---
If this reply helps you, Karma would be appreciated.

logloganathan · ‎03-22-2018

Could you please modify the same command without stats and substitute abstract

richgalloway · ‎03-23-2018

base query | regex field= "XXX*(?.*)" | abstract maxlines=1

---
If this reply helps you, Karma would be appreciated.

logloganathan · ‎03-23-2018

what will it do?
it not providing the answer i expected

richgalloway · ‎03-27-2018

What answer are you expecting? What exactly are you trying to do? You insist on using abstract, but perhaps that is not the way to accomplish your goal.

---
If this reply helps you, Karma would be appreciated.

logloganathan · ‎03-27-2018

Hi,

actually i have regular expression..it having 5 lines value.
i want one line using abstract.
is it possible to do?
Could you please help me in this request.

richgalloway · ‎03-28-2018

It's still not clear to me what your goal is. You've re-stated the original request and not added any clarification. I've done all I can do with what you've provided so far.

---
If this reply helps you, Karma would be appreciated.

logloganathan · ‎03-28-2018

Thanks for your help
i think we can't combine abstract command and regex.

help to build the query using abstract command

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application