Solved: Help combining 2 searches

apalen · ‎05-15-2014

I am attempting to do this search:
host = pesweb* "payment via manually entered card" | stats count by users
My data looks like:
2014-05-15 13:20:08,728 INFO [resin-port-foo port pdeur: foo port invoice.AcquireInvoiceLifeCycleManager (AcquireInvoiceLifeCycleManager.java) - payment via manually entered card: user/amt/invoice = pdeur/foo123

The bold is the user id associated to these event, but when i attempt the above search it doesn't detect that as a user id.

My questions is how may i make it do so? Should i use some type of field extract? My end gold is to be able to see which user's are doing this method and allow our customer support team to reach out to these customers and see why they are entering this information manually.

Thanks in advance splunk community!

MuS · ‎05-16-2014

Hi apalen,

based on your provided examples, try something like this:

 your base search here | rex field="_raw" "user/amt/invoice\s=\s(?<myUser>[\w\d]{3,10})" | table myUser

this will create a new field named myUser if this matches your needs you can use this as automatic field extraction.

hope this helps ...

cheers, MuS

View solution in original post

apalen · ‎05-16-2014

oh sorry, the user id's are tag at the beginning and end.

foo
foo123

MuS · ‎05-16-2014

Hi apalen,

based on your provided examples, try something like this:

 your base search here | rex field="_raw" "user/amt/invoice\s=\s(?<myUser>[\w\d]{3,10})" | table myUser

this will create a new field named myUser if this matches your needs you can use this as automatic field extraction.

hope this helps ...

cheers, MuS

apalen · ‎05-16-2014

Thanks MuS, I will try this!

somesoni2 · ‎05-16-2014

And the user Id in these logs is "11950843","11950841" etc OR "ENC11950843","ENC11950841"?

apalen · ‎05-16-2014

user id's can be a combination of alphanumeric values between 3 and 10 digits.

apalen · ‎05-16-2014

[foo123:10095 aaaZ5kH3likxE8fFvwfyu ENC11950841] invoice.AcquireInvoiceLifeCycleManager (AcquireInvoiceLifeCycleManager.java:1671) - payment via manually entered card: user/amt/invoice = foo123/2681/11950841

[foo:2513 aaaVBhyhrcPFc5cFUGfyu ENC11950843] invoice.AcquireInvoiceLifeCycleManager (AcquireInvoiceLifeCycleManager.java:1671) - payment via manually entered card: user/amt/invoice = foo/5000/11950843

apalen · ‎05-16-2014

Here is a snippet of our logs, i have scrubed some of the data
2014-05-16 11:01:51,065 INFO [ foo:10598 aaaJQk5ZSIo446szyJfyu ENC11945241] invoice.AcquireInvoiceLifeCycleManager (AcquireInvoiceLifeCycleManager.java:1671) - payment via manually entered card: user/amt/invoice = foo/2925/11945241
2014-05-16 11:01:25,165 INFO [ ] invoice.AcquireInvoiceLifeCycleManager (AcquireInvoiceLifeCycleManager.java:1671) - payment via manually entered card: user/amt/invoice = null/27155/11951016

somesoni2 · ‎05-15-2014

Or provide some more sample events (to cover all possibilities) and Splunkers can help you will regex.

somesoni2 · ‎05-15-2014

You can use Splunk's inbuild Field Extractor for the same. (In event view of the data, click on small triangle on the left of event [Event options menu] and select 'Extract fields'. provide example values and click on generate. You can save the field extraction from there as well)

http://docs.splunk.com/Documentation/Splunk/6.1.1/Knowledge/ExtractfieldsinteractivelywithIFX

apalen · ‎05-15-2014

I was afraid of this. My regex is pretty weak. If anyone in the community is a regex pro, with a few minutes i would greatly appreciated any directions on this regex to produce the results I'm looking for.

As always thanks in advance splunk community!

somesoni2 · ‎05-15-2014

You will have to create field extract/use rex command to retrieve field 'user', as its not in Splunk's standard format (key-value pair).

Help combining 2 searches

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms