Splunk Search

Need REX Help - How do I table results?

kc_prane
Path Finder

Hello,  when i table the results the results are not matching exact with the next columns. what can i add to reslove this issue. Please find the below screenshot for the results.

|rex field=_raw "(TEST_DETAIL_MESSAGE\s\=)(?<MESSAGE>\w+\D+\,)" max_match=0 |rex field=_raw "(TEST_COUNT\s\=)(?<COUNT>\s\d+)" max_match=0
| table MESSAGE COUNT

 

kc_prane_0-1659543543048.png

 

Labels (1)
Tags (1)
0 Karma

gcusello
Legend

Hi @kc_prane,

could you share some sample of your logs?

Ciao.

Giuseppe

0 Karma

kc_prane
Path Finder

Hi Gcusello - thaks for the response. Please find the belwo log.

Detail_Message, COUNT

TEST_DETAIL_MESSAGE =Person with given Individual Id doesn't exist, TEST_COUNT = 28340 TEST_DETAIL_MESSAGE =could not extract ResultSet; SQL [n/a]; nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet, TEST_COUNT = 301 TEST_DETAIL_MESSAGE =No entity found for query, TEST_COUNT = 59

TEST_DETAIL_MESSAGE =Search Query Processing error org.springframework.orm.jpa.JpaSystemException: Found shared references to a collection: com.ltss.common.transition.model.TnsRqst.tnsAddrDtls; nested exception is org.hibernate.HibernateException: Found shared references to a collection: com.ltss.common.transition.model.TnsRqst.tnsAddrDtls, TEST_COUNT = 60

TEST_DETAIL_MESSAGE =Found shared references to a collection: com.ltss.common.transition.model.TnsRqst.tnsAddrDtls; nested exception is org.hibernate.HibernateException: Found shared references to a collection: com.ltss.common.transition.model.TnsRqst.tnsAddrDtls, TEST_COUNT = 501

0 Karma

gcusello
Legend

Hi @kc_prane,

both the regexes are correct and extract the string.

In my environment values are correctly extracted and aligned.

gcusello_0-1659596243725.png

probably the strings you shared are all in the same event and must be separated, could you share your full search, to understand why alignment isn't correct for you?

Ciao.

Giuseppe

0 Karma

kc_prane
Path Finder

Hi gcusello  - Yes all the lines are for the same event how do i seperate them they about 60 lines.  this is an .csv file.

0 Karma

gcusello
Legend

Hi @kc_prane,

you should better analyze your data, maybe it's better to have an event for each line, or it's better to separate lines.

could you share your full search, to understand why alignment isn't correct for you?

Ciao.

Giuseppe

0 Karma

yuanliu
SplunkTrust
SplunkTrust

I am a little confused as to what you need diagnosis for, but based on the samples, you shouldn't need  rex to begin with.   Have  you tried extract (aka kv)?

 

| kv pairdelim="," kvdelim="="

 

should give you

TEST_COUNTTEST_DETAIL_MESSAGE_raw
28340Person with given Individual Id doesn't existTEST_DETAIL_MESSAGE =Person with given Individual Id doesn't exist, TEST_COUNT = 28340
301could not extract ResultSet; SQL [n/a]; nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSetTEST_DETAIL_MESSAGE =could not extract ResultSet; SQL [n/a]; nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet, TEST_COUNT = 301
59No entity found for queryTEST_DETAIL_MESSAGE =No entity found for query, TEST_COUNT = 59
60Search Query Processing error org.springframework.orm.jpa.JpaSystemException: Found shared references to a collection: com.ltss.common.transition.model.TnsRqst.tnsAddrDtls; nested exception is org.hibernate.HibernateException: Found shared references to a collection: com.ltss.common.transition.model.TnsRqst.tnsAddrDtlsTEST_DETAIL_MESSAGE =Search Query Processing error org.springframework.orm.jpa.JpaSystemException: Found shared references to a collection: com.ltss.common.transition.model.TnsRqst.tnsAddrDtls; nested exception is org.hibernate.HibernateException: Found shared references to a collection: com.ltss.common.transition.model.TnsRqst.tnsAddrDtls, TEST_COUNT = 60
501Found shared references to a collection: com.ltss.common.transition.model.TnsRqst.tnsAddrDtls; nested exception is org.hibernate.HibernateException: Found shared references to a collection: com.ltss.common.transition.model.TnsRqst.tnsAddrDtlsTEST_DETAIL_MESSAGE =Found shared references to a collection: com.ltss.common.transition.model.TnsRqst.tnsAddrDtls; nested exception is org.hibernate.HibernateException: Found shared references to a collection: com.ltss.common.transition.model.TnsRqst.tnsAddrDtls, TEST_COUNT = 501

 

Tags (1)
0 Karma

kc_prane
Path Finder

Hi yuanliu - Thanks for the response. Can you please provide the exact query. you results looks good

0 Karma

yuanliu
SplunkTrust
SplunkTrust

I initially thought you had one line per event.  If the entire CSV is one event, try this

| rename _raw AS data
| eval data = split(data, "
")
| mvexpand data ``` cannot mvexpand _raw ```
| rename data as _raw
| kv pairdelim="," kvdelim="="
| fields - _time
| where isnotnull(TEST_COUNT)

 

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...