Splunk Search

Search on this Key Value pair to display PricingInfo / PricingCount

smudge797
Path Finder

How can i search on this Key Value pair to display PricingInfo / PriceCount

An example log entry may look like the below.

1001=25, 1011=10

Made up of these values:

PricingInfo PricingCount
0000 Contains an int from 0-99
0001 Contains an int from 0-99
0010 Contains an int from 0-99
0011 Contains an int from 0-99
0100 Contains an int from 0-99
0101 Contains an int from 0-99
0110 Contains an int from 0-99
0111 Contains an int from 0-99
1000 Contains an int from 0-99
1001 Contains an int from 0-99
1010 Contains an int from 0-99
1011 Contains an int from 0-99
1100 Contains an int from 0-99
1101 Contains an int from 0-99
1110 Contains an int from 0-99
1111 Contains an int from 0-99

0 Karma

bjoernjensen
Contributor

You may get the needed information with something like this:

... | stats count by PricingInfo
0 Karma

smudge797
Path Finder

Great thanks!

0 Karma

smudge797
Path Finder

But it just looks like this in Splunk 1100=4:

Timestamp=2015-03-18 07:07:31, Level=INFO, EventId=16007, ReqID=bcacbafd-bddb-49d4-8d36-a7445daf0fc6, 1100=4

0 Karma

bjoernjensen
Contributor

I think search time field extraction will help you:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesearch-timefieldextractions

Two approaches:

1

first extract two fields:

... | rex "(?<PricingInfo>[0-1]{4})=(?<PricingCount>\d{0,1})" | ...

After this you can search like this:

... | PricingInfo="1100" PricingCount="4" | ...

OR

2

extract one field:

... | rex "(?<PricingField>[0-1]{4}=\d{0,1})" | ...

After this you can search like this:

... | PricingField="1100=4" | ...
0 Karma

tachifelix
Path Finder

give more detail

0 Karma

smudge797
Path Finder

I have some Splunk logging that has a field (key) that represents a bitmask, and a value. There's a fixed number of bitmask combinations as listed in the PricingInfo column above. I need to do some counting of the values and have been unable to do so with the way the field is constructed. We would need to add a field to represent the bitmask values, and a field for the count such as above.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...