Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search for pattern and if condition greater than chart splunk search

harkirat9712
Explorer
‎01-28-2020 12:20 AM

Hi Team,

I have a query that output below.

loggerName="test" DC=Test ENV=IT AppName=Test2 HostPort=9443 ClientIP=17.XXX.XX.XXX ClientAppId= ClientAppName= txnId=test1 sessionId=test2 method=test requestHeaders={x---geo-test=TEST, x--test=000, dsid=000188, postman-token=TEST, User-Agent=PostmanRuntime/7.20.1, mid=test x-gs-token=test altdsid=test, deflate, Content-Length=83, X-Real-IP=test, Content-Type=application/json, Cookie=SA-Locale=en_US; dslang=US-EN, Accept=/, Host=sse-ws-p189-test.apple.com ,no-cache,X-MMe-Client-Info= x-mme-client-info= X-MMe-Client-Info= <=Test OS;11.3;16G102> }

Here I would like to capture/Search for the 'Test OS;11.3'

and make it to Test-OS=11.3 and count and chart the Test-OS values (Please note 11.3 is variable value)

Then the I would like to chart the number of logs entries with Test-OS > 13.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎01-28-2020 09:37 AM

extract check:

| makeresults
| eval _raw="loggerName=\"test\" DC=Test ENV=IT AppName=Test2 HostPort=9443 ClientIP=17.XXX.XX.XXX ClientAppId= ClientAppName= txnId=test1 sessionId=test2 method=test requestHeaders={x---geo-test=TEST, x--test=000, dsid=000188, postman-token=TEST, User-Agent=PostmanRuntime/7.20.1, mid=test x-gs-token=test altdsid=test, deflate, Content-Length=83, X-Real-IP=test, Content-Type=application/json, Cookie=SA-Locale=en_US; dslang=US-EN, Accept=/, Host=sse-ws-p189-test.apple.com ,no-cache,X-MMe-Client-Info= x-mme-client-info= X-MMe-Client-Info= <=Test OS;11.3;16G102> }"
 | rex "Test OS;(?<Test_OS>[\d.]+)"

recommend:

your_search
| rex "Test OS;(?<Test_OS>[\d.]+)"
| stats count by Test_OS
| where Test_OS > 13

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎01-28-2020 09:37 AM

extract check:

| makeresults
| eval _raw="loggerName=\"test\" DC=Test ENV=IT AppName=Test2 HostPort=9443 ClientIP=17.XXX.XX.XXX ClientAppId= ClientAppName= txnId=test1 sessionId=test2 method=test requestHeaders={x---geo-test=TEST, x--test=000, dsid=000188, postman-token=TEST, User-Agent=PostmanRuntime/7.20.1, mid=test x-gs-token=test altdsid=test, deflate, Content-Length=83, X-Real-IP=test, Content-Type=application/json, Cookie=SA-Locale=en_US; dslang=US-EN, Accept=/, Host=sse-ws-p189-test.apple.com ,no-cache,X-MMe-Client-Info= x-mme-client-info= X-MMe-Client-Info= <=Test OS;11.3;16G102> }"
 | rex "Test OS;(?<Test_OS>[\d.]+)"

recommend:

your_search
| rex "Test OS;(?<Test_OS>[\d.]+)"
| stats count by Test_OS
| where Test_OS > 13
0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎01-28-2020 06:13 AM

Unless i am missing something, I cant see Test OS;11.3 in your event?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

harkirat9712
Explorer
‎01-28-2020 11:23 AM

Added. Pls check.

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...