I have a log entry that looks like this
2009-10-02 16:52:30 To USA-XXX F 2 &STR
where XXX is the account number - I have, as you may have guessed over 800 such account numbers (1 through 800 to be specific) trapped inside these logs that I need to do a timechart and group by on.
I want to be able to extract the account number XXX from this search somehow.
I have figured out the first step (unless regex is the way to go)
i) filter all the matches using sourcetype="usalog" | search *To*STR
ii) tag on another search that somehow filters the XXX
Any suggestions ? Perhaps field extractions ?
Try something like :
sourcetype=usalog | rex field=_raw "To USA-(?<ac_number>\d{1,3})" | timechart count by ac_number
You can perform the Search time extraction on the account number inline using the rex command, as shown above , or save it(via Splunk Web or manual edit) in props.conf using the EXTRACT keyword in a sourcetype stanza :
[usalog]
EXTRACT-extract_ac_num = To USA-(?<ac_number>\d{1,3})
Try something like :
sourcetype=usalog | rex field=_raw "To USA-(?<ac_number>\d{1,3})" | timechart count by ac_number
You can perform the Search time extraction on the account number inline using the rex command, as shown above , or save it(via Splunk Web or manual edit) in props.conf using the EXTRACT keyword in a sourcetype stanza :
[usalog]
EXTRACT-extract_ac_num = To USA-(?<ac_number>\d{1,3})
Thank you !
That worked like a charm !