Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Stats with _raw field

mcscjlf
Explorer
‎07-14-2022 09:12 AM

Hello, 

In my search I'm trying to get a series of events (transact - which is in the _raw field) counted out by another field in _raw for GET or POST. This is what I'm currently using: 

host="EXAMPLE-*" sourcetype=Hex4 /ps/* | rex mode=sed field=_raw "s/(\S+)(tx_\S+)(\/\S+)/\1trans\3/g" | rex mode=sed field=_raw "s/(\S+)(nce_\S+)(\/\S+)/\1nce\3/g" | rex mode=sed field=_raw "s/(\S+)(dce_\S+)(\/\S+)/\1dvc\3/g" | rex "POST (?<transact>\S+)" | stats count(eval(method="GET")) as GET, count(eval(method="POST")) as POST by transact

It does bring up the transactions and columns for GET and POST, but the counts are blank so I know I'm doing something wrong. 

Any help would be greatly appreciated!

Thank you!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-14-2022 09:27 AM

Check that the method field has actually been extracted

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-14-2022 09:27 AM

Check that the method field has actually been extracted

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...