Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract string and separate results by different strings

EricLloyd79
Builder
‎04-15-2014 08:04 AM

I have been looking for days for an answer to this on Splunk answers and elsewhere.

I have a query like this:
sourcetype="*-xxx01" (XXX0014 OR XXX0019 OR XXX0018 OR XXX0015) | timechart span=30m COUNT

XXX014, XXX019, XXX018, XXX015 are all strings in each log entry (they are KPIs) (its either XXX014 or XXX019 or XXX018 or XXX015 obviously in each log entry). I am trying to get results returned that are in columns so I can separate the results based on these KPIs. This would be so easy if they were part of a field. I could use "by fieldname" but these aren't part of a field. I was hoping I could do "COUNT by sum(XXX0014) sum(XXX019) sum(XXX018) sum(XXX015)" but that doesn't work. Below is an example of a log entry. Any help would be greatly appreciated!! (ultimate goal is a timechart bar graph that separates by different string values in each span)

2014-04-15 15:00:48,056 [INFO] [UUID=XXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX subNo=XXXXXXXXXXX yhn=000000000] XXX0014: Ignored notification grant. cause=IgnoreNotificationException Ignore Grant Notification

Where it says XXX0014... that is the value I want to separate my results with.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-15-2014 08:47 AM

The easiest would be to get them extracted into a field, say KPI, and do a timechart count by KPI. For your sample event, you should be able to temporarily extract the field like this:

base search | rex "\]\s+(?<KPI>\w+):" | timechart count by KPI

If that works, move the extraction to the config (Settings -> Fields -> Field Extractions) so you can drop the rex call from the search. If your other KPIs are in differently looking events you can define multiple extractions that all yield the same field name.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-15-2014 08:47 AM

The easiest would be to get them extracted into a field, say KPI, and do a timechart count by KPI. For your sample event, you should be able to temporarily extract the field like this:

base search | rex "\]\s+(?<KPI>\w+):" | timechart count by KPI

If that works, move the extraction to the config (Settings -> Fields -> Field Extractions) so you can drop the rex call from the search. If your other KPIs are in differently looking events you can define multiple extractions that all yield the same field name.

Reply
Solved! Jump to solution

EricLloyd79
Builder
‎04-15-2014 09:19 AM

This worked beautifully... thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...