Splunk Search

how to eval new field to filter events by a number in the raw data

annamareddi
New Member

i want to filter my data, based on the key numbers present in raw events.
example
event1:
sdfgn dfnlk 1/25/2017 ldjod djf lkd "iuhdfsadk sdkdljnkdl :key:123"jhdjdckl lcsdlkd

event2:
sdfgn dfnlk 1/25/2017 ldjod djf lkd "iuhdfsadk sdkdljnkdl :key:134"jhdjdckl lcsdlkd

event3:
sdfgn dfnlk 1/25/2017 ldjod djf lkd "iuhdfsadk sdkdljnkdl :key:1059"jhdjdckl lcsdlkd

event4:
sdfgn dfnlk 1/25/2017 ldjod djf lkd "iuhdfsadk sdkdljnkdl :key:1059"jhdjdckl lcsdlkd

i dont want repeated values, so i want the unique key values.

how to eval new field to filter this data by key values.

Tags (1)
0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@annamareddi - Did the answer provided by jplumsdaine22 help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

jplumsdaine22
Influencer

Do you mean that the field is not being extracted? You could use rex to create a new field:

... | rex ":key:(?<key>[^\"]+)"

and then you can use the field with stats etc. EG

... | rex ":key:(?<key>[^\"]+)" | stats count by key
0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...