cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Matthew86
Explorer
Member since: ‎08-06-2020
‎12-23-2021
Community Statistics
Posts 6
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎08-06-2020
View All

Re: Extract fields from non-JSON formatted data

by in Splunk Search
‎12-23-2021 12:49 AM
1 Karma
‎12-23-2021 12:49 AM
1 Karma
fixed it: | rex field=line.message "order_id\\\":\s\\\"(?<order_id>[^\\\"]+)" | table order_id ... View more

Re: Extract fields from non-JSON formatted data

by in Splunk Search
‎12-23-2021 12:42 AM
‎12-23-2021 12:42 AM
Hi richgalloway, Thanks for you reply. Unfortunately when I for example try to table the results I do not receive any results.  For example Base search .... | rex "order_id\\\":\s\\\"(?<order_id>[^\\\"]+)" | table order_id ... View more

Extract fields from non-JSON formatted data

by in Splunk Search
‎12-22-2021 09:00 AM
‎12-22-2021 09:00 AM
Hi Guys,  Hope you can help me out.  Consider the following data in Splunk:      { attrs: { account: 85859303 version: 1.3848 } line: { application_version: 1.94949303 message: Event with key 84js9393: {"entity": {"customer_id": "K123456", "order_id": "Sjd49493-93nd-9494-jdjd-mskaldjfhfhh", "collection_id": "djdis939-9398-9488-j939-md839md93000", "issuer_id": null}} thread: springfield timestamp: 2021-12-21 19:30:52,123 } }       I would like to extract the order_id and use it in my search:  order_id=Sjd49493-93nd-9494-jdjd-mskaldjfhfhh Hope someone can help or point me in the right direction. Cheers!  Matthew  ... View more
Labels

Re: Table with true and false (column) counts for ...

by in Splunk Search
‎08-07-2020 09:16 AM
‎08-07-2020 09:16 AM
Hi,  Thanks for your reply.  The sample event contains a large amount of data and the company I work for would not be happy about me sharing this sensitive information. However, It might help if I elaborate. A unique user (User_ID=B123456) has multiple events containing the fields User_ID and Agent. For this user the User_ID field never changes.  The events of a second unique user (User_ID=B654321) are completely unrelated to the first user (User_ID=B123456). Although they contain the same fields User_ID and Agent.  Basically, the count of true and false for each row (User) should be independent of the other rows (Users).  Hope this helps!  Let me know if you have any other questions.  Cheers!    ... View more

Table with true and false (column) counts for spec...

by in Splunk Search
‎08-07-2020 07:10 AM
‎08-07-2020 07:10 AM
Hi there,    I have just started using Splunk and it is quite alien to me. Hope you guys can help me out! I have the following search setup:    User_ID=B123456  | streamstats current=f window=1 last(Agent) as Prev_Agent | eval Agent_Change= if(Agent==Prev_Agent, "True", "False") Table Agent, Agent_Change   Basically, it is evaluating if the value of the field Agent is equal to the previous value for each event of a specific User (User_ID=B123456) Currently, it looks like this:    Agent         |           Agent_Change rgrg1          |           True  rgrg1          |           True  rgrg1          |           False  ytyt4          |           False  rgrg1          |           True  rgrg1          |           True  rgrg1          |           True    I would like to count the total amount of True and False values for multiple Users (User_ID) and display it in a one table.                                            True                  False B123456         |           55          |          76 B654321         |           22          |          82 B567890         |           87          |          99 B098765         |          12           |          33   Hope someone can help me out or at least point me in the right direction. Much appreciated!  Matthew ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎12-23-2021 05:01 AM
Karma from
View All
Karma given to
View All