Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove numbers from splunk events

richnavis
Contributor
‎06-21-2013 04:23 PM

I"m trying to create a search that will show me the count of certain types of events I get in a Windows Event Log. The problem I'm having is that the field I'm keying on (MSG) often has unique numerical values for the same event.

Example:

Event1: There is no object at postion 2

Event2: There is no object at position 22

Event3: There is no object at position 34

Event4: Wait time has been 22 seconds

Event5: Wait time has been 45 seconds

Event6: Wait time has been 127 seconds

If I did the following search: index=eventlogs | stats count by MSG I would get 6 rows of data, each with a count of 1, where I'd really like it to tell me I have 2 events, with a count of 3 for each. In the example above, I have 2 event types, but the different unique numerical values in the data for each field makes it look like I have 6 different event types. Is there a way I can have splunk ignore the numerical values?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-21-2013 05:21 PM

You can try

index=eventlogs | eval MSG=replace(MSG,"\d+","N") | stats count by MSG

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-21-2013 05:21 PM

You can try

index=eventlogs | eval MSG=replace(MSG,"\d+","N") | stats count by MSG
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-02-2013 09:28 AM

You can use any regex with replace(). So replace(MSG,"\([^\)]*\)","(P)" would work for (non-nested) parens.

0 Karma
Reply
Solved! Jump to solution

richnavis
Contributor
‎07-02-2013 09:20 AM

Nice.. is there also a way to do a similar type thing for anything between parenthesis? So.. if the event had something like "System Error(cart value=roses) has occurred", I could ignore the value inside the paraenthesis?

0 Karma
Reply
Solved! Jump to solution

starcher
Influencer
‎06-21-2013 05:16 PM

You should should setup an eventtypes.conf. You can probably define the eventtype through the gui as well. But I am used to working in the config files.

You can do like this in eventtypes.conf

[MyEvents-NoObject]

search = index=eventlogs sourcetype=WinEventLog:Application MSG="*There is no object*"

[MyEvents-WaitTime]

search = index=eventlogs sourcetype=WinEventLog:Application MSG="*Wait time has been*"

Now with that configuration in play you should see that each of your search results has an eventtype matching it. So you could now do a search like:
index=eventlogs | stats count by eventtype

0 Karma
Reply
Solved! Jump to solution

richnavis
Contributor
‎07-02-2013 09:13 AM

Thanks.. I didn't think to use event types.. but perhaps I will use them for some other things I do. However, in this case, the number of type of events could number in the hundreds, making event types impractical.. good suggestion tho...

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...