Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Generating statistics from combined fields using rex

josipj
New Member
‎11-21-2018 10:51 AM

Hi,

I'm having difficulty creating a splunk query which generates an overview of field combinations using regular expression. What I'm trying todo is to combine the fields 'code' and 'outCome' to a key and count the combination over a certain period of time. It is possible for the element 'code' not to be present if that is the case I would like to print it "NA". What I would expect the table to look like is:

Code:outCome:Occurences
NA:01:2
UNKOWN:02:1
KNOWN:01:1

Below the splunk query:

| makeresults
| eval _raw="<reply><result><sessiondId>1</sessiondId><resultChecks><resultCheck><personId/><address><street>streetName</street></address><outCome>01</outCome></resultCheck><resultCheck><personId/><address><street>streetName</street></address><outCome>01</outCome></resultCheck><resultCheck><personId/><code>UNKOWN</code><address><street>streetName</street></address><outCome>02</outCome></resultCheck><resultCheck><personId/><code>KNOWN</code><address><street>streetName</street></address><outCome>01</outCome></resultCheck><information><record><recordCode>1</recordCode><recordText>recordText</recordText></record></information></resultChecks></result></reply>"
| rex max_match=0 field=_raw "(code>(?<code>\w+)<\/code>.*?)?outCome>(?<outCome>.*?)<\/outCome>"
| table code, outCome

Any suggestions on how to do this?

Kind regards,

Josip

Tags (1)
0 Karma
Reply

laurie_gellatly
Communicator
‎11-21-2018 06:20 PM 
| makeresults
 | eval _raw="<reply><result><sessiondId>1</sessiondId><resultChecks><resultCheck><personId/><address><street>streetName</street></address><outCome>01</outCome></resultCheck><resultCheck><personId/><address><street>streetName</street></address><outCome>01</outCome></resultCheck><resultCheck><personId/><code>UNKOWN</code><address><street>streetName</street></address><outCome>02</outCome></resultCheck><resultCheck><personId/><code>KNOWN</code><address><street>streetName</street></address><outCome>01</outCome></resultCheck><information><record><recordCode>1</recordCode><recordText>recordText</recordText></record></information></resultChecks></result></reply>"
 | rex max_match=0 field=_raw mode=sed "s/Id\/><ad/Id\/><code>NA<\/code><ad/g"
 | rex max_match=0 field=_raw "code>(?<CodeOut>.*?)<\/outCome"
 | rex max_match=0 field=CodeOut mode=sed "s/<\/code.*Come>/:/"
 | mvexpand CodeOut
 | stats count by CodeOut

...Laurie:{)

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...