Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

regarding Search

rajgowd1
Communicator
‎01-01-2017 10:25 AM

HI,
we have log which has some key value pairs and one of the key is instance which has values like 0,1,2
when ever there is an issue,application logs displays instance 0 crashed,instance 0 STARTED instance 1 STOPPED

i am trying to display in scatter chart in x-axis time and in Y-Axis status like UPDATE,CRASHED,STARTED or STOPPED

here is the search i am trying with table but how can we show them in scatter

when i try to display in table with below search,for last column newmsg always displays UPDATE for all

index=myindex messtype=* ori=* orgname=* env=PROD (appname=demo-prod OR appname=demo-prod OR appname=demo-PROD2) | eval newmsg="UPDATE" | rex field=msg"(?CRASHED|STARTED|STOPPED)" | table appname, time, source_instance, newmsg | sort appname, time, source_instance, newmsg

here is the sample log

<6>2017-01-01T05:59:42Z 2ejoqs8tf0q doppler[20]: {"appid":"beaffaf8-28d8-4d2b-959b-c71a7547283f","appname":"demo-prod",
"ignoredapp":false,"orgid":"55c398bc-86d0-4443-ad97-1711fe264638","orgname":"LATAM-MX-DIGITAL","cf_origin":"firehose",
"space_id":"51e0484a-d642-4f37-b979-d40336913f8f","env":"CC-PORTAL-UAT3","deployment":"cf","event_type":"LogMessage",
"ip":"168.72.205.40","job":"cloud_controller-partition-a2833c853cfafee70104","job_index":"2","level":"info","messtype":"OUT",
"msg":"App instance exited with guid beaffaf8-28d8-4d2b-959b-c71a7547283f payload: {\"instance\"=\u003e\"d0bfa02d-43d8-439c-7d4b-d29cb9e13835\",
\"index\"=\u003e0, \"reason\"=\u003e\"CRASHED\", \"exit_description\"=\u003e\"2 error(s) occurred:\n\n* 2 error(s) occurred:\n\n* Codependent
step exited\n* cancelled\n* cancelled\", \"crash_count\"=\u003e134, \"crash_timestamp\"=\u003e1483250382557858527,
\"version\"=\u003e\"7e7e8a62-a249-4608-a69b-d55daf3947c6\"}","origin":"cloud_controller","source_instance":"2","source_type":"API",
"time":"2017-01-01T05:59:42Z","timestamp":1483250382577570779}

Tags (1)
0 Karma
Reply

niketn
Legend
‎01-01-2017 11:49 PM

You would need to reconsider your regular expression for field extraction. Assuming msg field contains the reason information that you want to extract:

<Your Base Search>
| rex field=msg "reason\\\"\=\\(?<reasonCode>\w+)\\\"(?<newmsg>\w+)\\\"\," 
| table appname, time, source_instance, msg, newmsg 
| sort appname, time, source_instance, newmsg

If msg field does not have the reason as expected, you can replace msg with _raw i.e. 

| rex field=_raw "reason\\\"\=\\(?<reasonCode>\w+)\\\"(?<newmsg>\w+)\\\"\,"

PS: Ideal you should move this to Field Extraction using Extract New Fields in Splunk Search or through Props.conf, once you have established that the regular expression is working as expected. For quick hints/testing regular expressions you can try regex101.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

rajgowd1
Communicator
‎01-02-2017 09:00 AM

Hi,
it throwing error when i replace the regular expression

| rex field=_raw "reason\\"=\(?\w+)\\"(?\w+)\\"\,"

Error in 'rex' command: Encountered the following error while compiling the regex 'reason\"=(?\w+)\"(?\w+)\"\,': Regex: unmatched parentheses

and i would like to show them in scatter graph,which i explained in my question.

0 Karma
Reply

rajgowd1
Communicator
‎01-02-2017 11:09 AM

i tried this search and got result with different states

eval newmsg="UPDATE" | rex field=_raw "(?CRASHED|STARTED|STOPPED)"

how can we show this scatter chart or in D3

x-axis as time and
y-axis as CRASHED,STARTED,STOPPED or UPDATE

0 Karma
Reply

rajgowd1
Communicator
‎01-02-2017 12:50 PM

alt text

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...