Splunk Search

Extracting from multiple fields and group by Domain name

thiagarajan
Explorer

My logs looks like this

Tue Aug 27 2013 00:34:47 [DEV][MyTest][error] mpgw(IntegrationGateway): tid(372165969)[error][10.11.12.123]: Either service is down or transaction timed out for Service:WorkspaceData
UUID:4c4b1672-9af1-4f95-a28b-d78611bd6a6
Backend:lprva1234.test.com:6090
Domain:SpaceK

Tue Aug 27 2013 00:35:28 [DEV][MyTest][error] mpgw(IntegrationGateway): tid(379832419)[error][10.14.24.263]: Either service is down or transaction timed out for Service:MyList
UUID:8f3dc371-845c-4768-928b-35938dacffb6
Backend:lprva4567.test.com:6087
Domain:SpaceH

Tue Aug 27 2013 00:54:39 [DEV][MyTest][error] mpgw(IntegrationGateway): tid(327317173)[error][10.11.12.123]: Either service is down or transaction timed out for Service:WorkspaceData
UUID:99dafd8f-9639-4d8e-ac5d-5d0d5a35ae77
Backend:lprva7891.test.com:6090
Domain:SpaceK

Sun Sep 01 2013 00:23:27 [DEV][MyTest][error] mpgw(IntegrationGateway): tid(112725141)[error][10.11.12.123]: Either service is down or transaction timed out for Service:MyConnnect
UUID:2e57e791-e6fe-4b0e-b401-77de0a2ba511
Backend:lprva8225.test.com:6091
Domain:SpaceL

Sun Sep 01 2013 00:23:37 [DEV][MyTest][error] mpgw(IntegrationGateway): tid(112727877)[error][10.11.12.123]: Either service is down or transaction timed out for Service:MyConnnect
UUID:523b378f-14d3-41c2-8357-e8642a595c5d
Backend:lprva8228.test.com:6091
Domain:SpaceL

The regex for timedoutservice is -> (?i)^(?:[^:]*:){5}(?P<timedoutservice>[^\s]+)
Search query is -> sourcetype="MyLog" ("transaction timed out for Service:" MyTest) |stats count as errorcount by timedoutservice

I am getting result something similar to this

timedoutservice                         errorcount
WorkspaceData                               2
MyList                                      1
MyConnnect                                  2

Expected result

timedoutservice                        errorcount        Domain
WorkspaceData                               2            SpaceK
MyList                                      1            SpaceH
MyConnnect                                  2            SpaceL

UUID and Backend will be changing but the domain name remains same for all the services.
The regex for domainName is -> (?i)\tDomain:(?P<Domain>.+)

I just tried to combine both the results

((?i)^(?:[^:]*:){5}(?P<timedoutservice>[^\s]+)(?i)\tDomain:(?P<Domain>.+))

I am getting the exception "Invalid regex: no named extraction at position 0 (i.e., "((?i)^(?:[..."). Expected "(?Ppattern)"
Do i need to use group by. How to extract from multiple fields. Any help is appreciated.

0 Karma

thiagarajan
Explorer

This is what I expected. Thank you very much for the quick reply. Can you explain why I am able get the host name without group by.

0 Karma

lukejadamec
Super Champion

The field

domain:value

Should be extracted automatically.

If it is not, have you tried the automated field extraction wizard? (down arrow key next to the event in a regular search)

If it is, then something like this should work:

sourcetype="MyLog" ("transaction timed out for Service:" MyTest) |stats count as errorcount by timedoutservice,domain

thiagarajan
Explorer

This is what I expected. Thank you for the quick reply. But can u tell how I am getting the domain name without any group by. Is it because domain name is unique.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...