Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Generating statistics from combined fields using rex

josipj
New Member
‎11-21-2018 10:51 AM

Hi,

I'm having difficulty creating a splunk query which generates an overview of field combinations using regular expression. What I'm trying todo is to combine the fields 'code' and 'outCome' to a key and count the combination over a certain period of time. It is possible for the element 'code' not to be present if that is the case I would like to print it "NA". What I would expect the table to look like is:

Code:outCome:Occurences
NA:01:2
UNKOWN:02:1
KNOWN:01:1

Below the splunk query:

| makeresults
| eval _raw="<reply><result><sessiondId>1</sessiondId><resultChecks><resultCheck><personId/><address><street>streetName</street></address><outCome>01</outCome></resultCheck><resultCheck><personId/><address><street>streetName</street></address><outCome>01</outCome></resultCheck><resultCheck><personId/><code>UNKOWN</code><address><street>streetName</street></address><outCome>02</outCome></resultCheck><resultCheck><personId/><code>KNOWN</code><address><street>streetName</street></address><outCome>01</outCome></resultCheck><information><record><recordCode>1</recordCode><recordText>recordText</recordText></record></information></resultChecks></result></reply>"
| rex max_match=0 field=_raw "(code>(?<code>\w+)<\/code>.*?)?outCome>(?<outCome>.*?)<\/outCome>"
| table code, outCome

Any suggestions on how to do this?

Kind regards,

Josip

Tags (1)
0 Karma
Reply

laurie_gellatly
Communicator
‎11-21-2018 06:20 PM 
| makeresults
 | eval _raw="<reply><result><sessiondId>1</sessiondId><resultChecks><resultCheck><personId/><address><street>streetName</street></address><outCome>01</outCome></resultCheck><resultCheck><personId/><address><street>streetName</street></address><outCome>01</outCome></resultCheck><resultCheck><personId/><code>UNKOWN</code><address><street>streetName</street></address><outCome>02</outCome></resultCheck><resultCheck><personId/><code>KNOWN</code><address><street>streetName</street></address><outCome>01</outCome></resultCheck><information><record><recordCode>1</recordCode><recordText>recordText</recordText></record></information></resultChecks></result></reply>"
 | rex max_match=0 field=_raw mode=sed "s/Id\/><ad/Id\/><code>NA<\/code><ad/g"
 | rex max_match=0 field=_raw "code>(?<CodeOut>.*?)<\/outCome"
 | rex max_match=0 field=CodeOut mode=sed "s/<\/code.*Come>/:/"
 | mvexpand CodeOut
 | stats count by CodeOut

...Laurie:{)

Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...