Splunk Search

How can I get the top products in the following events?

ansbilal
Explorer

My events looks like following with last 8 digits are the item no

2014-11-28 00:10:21.446 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018266928 is not cartonable because of packing rule is defined for item WaPMxJNx.

2014-11-28 00:10:21.435 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018267047 is not cartonable because of packing rule is defined for item eFrNP/Ry.

My base search is
"is not cartonable"

so aim is to get all events which container "is not cartonable" and get either the count of products or top products out of those events

Tags (4)
1 Solution

kml_uvce
Builder

try this
your search|rex field=_raw ".is not cartonable.(?<item>\d{8})."|chart count by item

View solution in original post

kml_uvce
Builder

try this
your search|rex field=_raw ".is not cartonable.(?<item>\d{8})."|chart count by item

ansbilal
Explorer

Thanks kml_uvce:
I did in search the following as you said

is not cartonable|rex field=_raw ".is not cartonable.(?d{8})"|chart count by item

but i get an error
Error in 'rex' command: Encountered the following error while compiling the regex '.is not cartonable.(?d{8})': Regex: unrecognized character after (? or (?-

0 Karma

ansbilal
Explorer

Thanks a lot, I have tried field extraction and it worked perfectly

0 Karma

ansbilal
Explorer

also worked with replacing d with w

0 Karma

ansbilal
Explorer

Events with "packing rule is defined" are
like

2014-11-28 00:10:21.446 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018266928 is not cartonable because of packing rule is defined for item WaPMxJNx.

2014-11-28 00:10:21.435 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018267047 is not cartonable because of packing rule is defined for item eFrNP/Ry.

2014-11-28 00:10:21.422 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018273230 is not cartonable because of packing rule is defined for item T1C3nrEz.

2014-11-28 00:10:21.415 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018274966 is not cartonable because of packing rule is defined for item tkP3KYwu.

2014-11-28 00:10:21.412 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018267099 is not cartonable because of packing rule is defined for item FWjgQ7Vy.

2014-11-28 00:10:21.411 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018273217 is not cartonable because of packing rule is defined for item McEbo7ry.

2014-11-28 00:10:21.390 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018274953 is not cartonable because of packing rule is defined for item 7o11ZiQx.

0 Karma

kml_uvce
Builder

you can use rex also and replace d with w in query . i thought its 8 digit as you mentioned earlier but its character.

ansbilal
Explorer

yes i have changed the query and added "*" and "backslash" as you said

is not cartonable|rex field=_raw ".is not cartonable.(?\d{8})"|chart count by item

Its not in error now but showing
Item count
true 18

0 Karma

ansbilal
Explorer

i think search for events should be
"packing rule is defined"
do i need to change anything in rex query ?

0 Karma

kml_uvce
Builder

see i think its coming because of there is . in the end there is some printing prob so we r facing issue ,you can use another method ,search
"your search" "is not cartonable" and then extract field item http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/ExtractfieldsinteractivelywithIFX
and then
"your search" "is not cartonable"|chart count by item

ansbilal
Explorer

My search is now
is not cartonable|rex field=_raw ".is not cartonable.(?\d{8})"|chart count by item

I get an error

Error in 'rex' command: Encountered the following error while compiling the regex '.is not cartonable.(?\d{8})': Regex: unrecognized character after (? or (?-

I think its not recognizing "\"

0 Karma

ansbilal
Explorer

I did put "*" after each "." as well

0 Karma

kml_uvce
Builder

have you put backslash before d?
and also pls see new changes in above query

0 Karma

ansbilal
Explorer

Thanks for helping, now i get this error
Error in 'rex' command: Encountered the following error while compiling the regex '.is not cartonable.(?\d{8})': Regex: nothing to repeat

does that mean there is nothing duplicate item??

0 Karma

kml_uvce
Builder

there are printing problem , i changed ans. above and you can put "*" after both "." and "backslash" before d

0 Karma

ansbilal
Explorer

sorry I am really new to splunk

0 Karma

kml_uvce
Builder

its printing problem put "*" after both "." and "backslash" before d

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...