Solved: want to extract field values from log and perform ...

nhatode · ‎12-15-2021

Hi,

Below is my Log:

"{"log":"{'URI': '/api/**/***/search?', 'METHOD': 'POST', 'FINISH_TIME': '2021-Dec-15 12:15:04 CST', 'PROTOCOL': 'http', 'RESPONSE_CODE': 202, 'RESPONSE_STATUS': '202 ACCEPTED', 'RESPONSE_TIME': 4.114464243873954} ","service_name":"Digdug/digdug","container":"Digdug-digdug-2","environment":"PROD"}"

Want to extract "RESPONSE_CODE" value

And show like below

RESPONSE_CODE	Count
202	1
200	6

Thanks

johnhuang · ‎12-15-2021

| rex "RESPONSE_CODE\'\:\s(?<RESPONSE_CODE>\d+)"
| stats count as Count by RESPONSE_CODE

edit: looks like @richgalloway beat me to it.

View solution in original post

richgalloway · ‎12-15-2021

Here's one way.

<your search for Log>
| rex "RESPONSE_CODE':\s*(?<RESPONSE_CODE>\d+)"
| stats count by RESPONSE_CODE

---
If this reply helps you, Karma would be appreciated.

johnhuang · ‎12-15-2021

| rex "RESPONSE_CODE\'\:\s(?<RESPONSE_CODE>\d+)"
| stats count as Count by RESPONSE_CODE

edit: looks like @richgalloway beat me to it.

want to extract field values from log and perform stats on it.

stats

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

want to extract field values from log and perform stats on it.

stats

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!