Splunk Search
Highlighted

search for pattern and if condition greater than chart splunk search

Explorer

Hi Team,

I have a query that output below.

loggerName="test" DC=Test ENV=IT AppName=Test2 HostPort=9443 ClientIP=17.XXX.XX.XXX ClientAppId= ClientAppName= txnId=test1 sessionId=test2 method=test requestHeaders={x---geo-test=TEST, x--test=000, dsid=000188, postman-token=TEST, User-Agent=PostmanRuntime/7.20.1, mid=test x-gs-token=test altdsid=test, deflate, Content-Length=83, X-Real-IP=test, Content-Type=application/json, Cookie=SA-Locale=en_US; dslang=US-EN, Accept=/, Host=sse-ws-p189-test.apple.com ,no-cache,X-MMe-Client-Info= x-mme-client-info= X-MMe-Client-Info= <=Test OS;11.3;16G102> }

Here I would like to capture/Search for the 'Test OS;11.3'

and make it to Test-OS=11.3 and count and chart the Test-OS values (Please note 11.3 is variable value)

Then the I would like to chart the number of logs entries with Test-OS > 13.

0 Karma
Highlighted

Re: search for pattern and if condition greater than chart splunk search

Ultra Champion

Unless i am missing something, I cant see Test OS;11.3 in your event?

0 Karma
Highlighted

Re: search for pattern and if condition greater than chart splunk search

Explorer

Added. Pls check.

0 Karma
Highlighted

Re: search for pattern and if condition greater than chart splunk search

Ultra Champion

extract check:

| makeresults
| eval _raw="loggerName=\"test\" DC=Test ENV=IT AppName=Test2 HostPort=9443 ClientIP=17.XXX.XX.XXX ClientAppId= ClientAppName= txnId=test1 sessionId=test2 method=test requestHeaders={x---geo-test=TEST, x--test=000, dsid=000188, postman-token=TEST, User-Agent=PostmanRuntime/7.20.1, mid=test x-gs-token=test altdsid=test, deflate, Content-Length=83, X-Real-IP=test, Content-Type=application/json, Cookie=SA-Locale=en_US; dslang=US-EN, Accept=/, Host=sse-ws-p189-test.apple.com ,no-cache,X-MMe-Client-Info= x-mme-client-info= X-MMe-Client-Info= <=Test OS;11.3;16G102> }"
 | rex "Test OS;(?<Test_OS>[\d.]+)"

recommend:

your_search
| rex "Test OS;(?<Test_OS>[\d.]+)"
| stats count by Test_OS
| where Test_OS > 13

View solution in original post

0 Karma