My events looks like following with last 8 digits are the item no
2014-11-28 00:10:21.446 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018266928 is not cartonable because of packing rule is defined for item WaPMxJNx.
2014-11-28 00:10:21.435 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018267047 is not cartonable because of packing rule is defined for item eFrNP/Ry.
My base search is
"is not cartonable"
so aim is to get all events which container "is not cartonable" and get either the count of products or top products out of those events
try this
your search|rex field=_raw ".is not cartonable.(?<item>\d{8})."|chart count by item
try this
your search|rex field=_raw ".is not cartonable.(?<item>\d{8})."|chart count by item
Thanks kml_uvce:
I did in search the following as you said
is not cartonable|rex field=_raw ".is not cartonable.(?d{8})"|chart count by item
but i get an error
Error in 'rex' command: Encountered the following error while compiling the regex '.is not cartonable.(?d{8})': Regex: unrecognized character after (? or (?-
Thanks a lot, I have tried field extraction and it worked perfectly
also worked with replacing d with w
Events with "packing rule is defined" are
like
2014-11-28 00:10:21.446 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018266928 is not cartonable because of packing rule is defined for item WaPMxJNx.
2014-11-28 00:10:21.435 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018267047 is not cartonable because of packing rule is defined for item eFrNP/Ry.
2014-11-28 00:10:21.422 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018273230 is not cartonable because of packing rule is defined for item T1C3nrEz.
2014-11-28 00:10:21.415 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018274966 is not cartonable because of packing rule is defined for item tkP3KYwu.
2014-11-28 00:10:21.412 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018267099 is not cartonable because of packing rule is defined for item FWjgQ7Vy.
2014-11-28 00:10:21.411 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018273217 is not cartonable because of packing rule is defined for item McEbo7ry.
2014-11-28 00:10:21.390 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018274953 is not cartonable because of packing rule is defined for item 7o11ZiQx.
you can use rex also and replace d with w in query . i thought its 8 digit as you mentioned earlier but its character.
yes i have changed the query and added "*" and "backslash" as you said
is not cartonable|rex field=_raw ".is not cartonable.(?\d{8})"|chart count by item
Its not in error now but showing
Item count
true 18
i think search for events should be
"packing rule is defined"
do i need to change anything in rex query ?
see i think its coming because of there is . in the end there is some printing prob so we r facing issue ,you can use another method ,search
"your search" "is not cartonable" and then extract field item http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/ExtractfieldsinteractivelywithIFX
and then
"your search" "is not cartonable"|chart count by item
My search is now
is not cartonable|rex field=_raw ".is not cartonable.(?\d{8})"|chart count by item
I get an error
Error in 'rex' command: Encountered the following error while compiling the regex '.is not cartonable.(?\d{8})': Regex: unrecognized character after (? or (?-
I think its not recognizing "\"
I did put "*" after each "." as well
have you put backslash before d?
and also pls see new changes in above query
Thanks for helping, now i get this error
Error in 'rex' command: Encountered the following error while compiling the regex '.is not cartonable.(?\d{8})': Regex: nothing to repeat
does that mean there is nothing duplicate item??
there are printing problem , i changed ans. above and you can put "*" after both "." and "backslash" before d
sorry I am really new to splunk
its printing problem put "*" after both "." and "backslash" before d