Dashboards & Visualizations

How to build a dashboard to show extracted email details from a log file?

moiezuddin
Explorer

Please help to create a dashboard for log file. /opt/www/logs/nbcucentral/nbcucentral.log to extract users sso, last name, and email address

examples of this log file. /opt/www/logs/nbcucentral/nbcucentral.log

[09/03/2015] [06:57:57.510] [INFO ] [FILE: com.nbcu.registration.VerifyMailServlet.doPost() IP:- 10.99.145.82] [206456577] [User details Lipsit, Christopher :: Chri.Lipsit@bolfchannel.com]
[09/03/2015] [06:28:42.976] [INFO ] [FILE: com.nbcu.registration.VerifyMailServlet.doPost() IP:- 10.99.145.145] [206457105] [User details Pelfrey, John :: John.Pelf@bolfchannel.com]
[09/03/2015] [05:13:50.242] [INFO ] [FILE: com.nbcu.registration.VerifyMailServlet.doPost() IP:- 3.161.145.238] [206453165] [User details Douguet, Juliette :: Julie.Dou@bcun.com
0 Karma
1 Solution

satishsdange
Builder

Could you please try below -

index=test | rex "(?P\w+.\w+@\w+.\w+)" | rex "details (?P\w+)" | table Name, Email 

Similarly you can extract SSO as well. You will find an option to save it as report/dashboard on right side (above time range picker).

View solution in original post

0 Karma

satishsdange
Builder

Could you please try below -

index=test | rex "(?P\w+.\w+@\w+.\w+)" | rex "details (?P\w+)" | table Name, Email 

Similarly you can extract SSO as well. You will find an option to save it as report/dashboard on right side (above time range picker).

0 Karma

satishsdange
Builder

Please append w with slash.

0 Karma

moiezuddin
Explorer

It doesnot work

source="/opt/www/logs/nbcucentral/nbcucentral.log"| rex "(?Pw+.w+@w+.w+)" | rex "details (?Pw+)" | table Name Email

showing error

Error in 'rex' command: Encountered the following error while compiling the regex '(?Pw+.w+@w+.w+)': Regex: unrecognized character after (?P
The search job has failed due to an error. You may be able view the job in the Job Inspector

0 Karma

satishsdange
Builder

Did you use backslash before w?

0 Karma

moiezuddin
Explorer

Its not working , can you please come up with another example , thanks for quick response

0 Karma

ppablo
Retired

Hi @moiezuddin

I just edited @satishdange's answer to properly show all the characters for the regular expression in the search. The backslashes \ were not displaying properly. Your search above didn't include the backslashes. Can you try the search now with the correctly syntax and see if you still get that error?

0 Karma

moiezuddin
Explorer

Thanks for your effort , but still its not working.
I extracted new fields and tested and named the fields as per my requirement.
Now its showing the results
source="/opt/www/logs/nbcucentral/nbcucentral.log" LastName=* OR Email=* OR SSO=* | table SSO,Email,LastName
Can you please let me know how to get top 20 results of the above query.

0 Karma

satishsdange
Builder

Please try this

"your source" | rex "(?P<Email>\w+.\w+@\w+.\w+)" | rex "details (?P<Name>\w+)" | stats count by Name, Email | Head 20

moiezuddin
Explorer

Thank you very much for your help.
Result showing in the dashboard is excellent
One thing is missing SSO
SSO is a field for getting userid"S
so how can i add SSO field in the QUERY

0 Karma

markthompson
Builder

What do you mean add it?

If you want to extract more, you can add another rex, if you already have it as a field, then add it after Email.

0 Karma

moiezuddin
Explorer

I did it in the below way
source="/opt/www/logs/nbcucentral/nbcucentral.log" | rex "(?P\w+.\w+@\w+.\w+)" | rex "details (?P\w+)" | rex "details (?P\w+)" | stats count by Name, SSO, Email | Head 20

Here i added SSO field

SSO field need to show Userid like 2065554822
But sso field showing name of the user not his userid .

What i need to do ? Kindly assist

0 Karma

satishsdange
Builder
 "your source" | rex "(?P<Email>\w+.\w+@\w+.\w+)" | rex "details (?P<Name>\w+)" | rex "(?<User_ID>\d{9})" | stats count by Name, Email, User_ID | Head 20

moiezuddin
Explorer

Hi,

Can you help me to add 2 more fields it the above query please
Fields are jobTitle, orgName, userType

Thanks

0 Karma

moiezuddin
Explorer

I did like this

source="/opt/www/logs/nbcucentral/nbcucentral.log" | rex "(?P\w+.\w+@\w+.\w+)" | rex "(?i)^(?:[^\\[]*\\[){5}(?P[^\\]]+)" | rex "details (?P\w+)" | stats count by Name, SSO, Email | Head 20

Its working showing the results exactly thank you very much for your time .
Great work boss .. 🙂

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...