Solved: rex for chkin chkout

indeed_2000 · ‎10-12-2021

Hi
here is the log:
23:50:26.698 app module1: CHKIN: Total:[100000] from table Total:[C000003123456] from PC1
23:33:39.389 app module2: CHKOUT: Total:[10] from table Total:[C000000000000] from PC2
23:50:26.698 app module1: CHKIN: Total:[100000] from table Total:[C000000000030] from PC1
23:33:39.389 app module2: CHKOUT: Total:[10] from table Total:[C000000000000] from PC2

need to sum values in brackets.
expected output:
items total1 total2 from
CHKIN 200000 3123486 PC1
CHKOUT 20 0 PC2

Thanks

richgalloway · ‎10-12-2021

Here is a regex that matches the sample data.

| rex "(?<item>CHKIN|CHKOUT):\s+Total:\[(?<total>\d+)].*Total:\[C(?<table>\d+)] from (?<from>\w+)"

And this run-anywhere query produces the sample results.

| makeresults | eval data="23:50:26.698 app module1: CHKIN: Total:[100000] from table Total:[C000003123456] from PC1|
23:33:39.389 app module2: CHKOUT: Total:[10] from table Total:[C000000000000] from PC2|
23:50:26.698 app module1: CHKIN: Total:[100000] from table Total:[C000000000030] from PC1|
23:33:39.389 app module2: CHKOUT: Total:[10] from table Total:[C000000000000] from PC2" | eval data=split(data,"|") | mvexpand data | eval _raw=data
```The above commands are just to produce sample data```
| rex "(?<item>CHKIN|CHKOUT): Total:\[(?<total>\d+)].*Total:\[C(?<table>\d+)] from (?<from>\w+)"
| stats sum(total) as "total sum", sum(table) as table by item  from
| table item "total sum" table from

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-12-2021

Here is a regex that matches the sample data.

| rex "(?<item>CHKIN|CHKOUT):\s+Total:\[(?<total>\d+)].*Total:\[C(?<table>\d+)] from (?<from>\w+)"

And this run-anywhere query produces the sample results.

| makeresults | eval data="23:50:26.698 app module1: CHKIN: Total:[100000] from table Total:[C000003123456] from PC1|
23:33:39.389 app module2: CHKOUT: Total:[10] from table Total:[C000000000000] from PC2|
23:50:26.698 app module1: CHKIN: Total:[100000] from table Total:[C000000000030] from PC1|
23:33:39.389 app module2: CHKOUT: Total:[10] from table Total:[C000000000000] from PC2" | eval data=split(data,"|") | mvexpand data | eval _raw=data
```The above commands are just to produce sample data```
| rex "(?<item>CHKIN|CHKOUT): Total:\[(?<total>\d+)].*Total:\[C(?<table>\d+)] from (?<from>\w+)"
| stats sum(total) as "total sum", sum(table) as table by item  from
| table item "total sum" table from

---
If this reply helps you, Karma would be appreciated.

indeed_2000 · ‎10-12-2021

Thank you for answer, but there are two spaces after chkout, it will remove when i copy past here

here is the correct log:

23:50:26.698 app module1: CHKIN: Total:[100000] from table Total:[C000003123456] from PC1

23:33:39.389 app module2: CHKOUT: Total:[10] from table Total:[C000000000000] from PC2

richgalloway · ‎10-12-2021

Thanks for sharing. I'm assuming you want me to tell you how to handle that. See my revised reply.

---
If this reply helps you, Karma would be appreciated.

indeed_2000 · ‎10-12-2021

Thank you for answer, it work like a charm.

instead of last line “| table…” is it possible show result as single value? Big numbers in dashboard.

Something like this:

CHKIN 200000 3123486
CHKOUT 20 0

richgalloway · ‎10-12-2021

The singleValue visualization is intended for displaying numbers and, as the name implies, shows a single value. Your results have 3 values in 2 events - something not suitable for a singleValue visualization.

If you're trying to make the data stand out more, try using CSS. See https://www.splunk.com/en_us/blog/customers/splunk-clara-fication-customizing-simplexml-dashboards-w...for more information.

---
If this reply helps you, Karma would be appreciated.

rex for chkin chkout

eval

rex

stats

table

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!