How can i search on this Key Value pair to display PricingInfo / PriceCount
An example log entry may look like the below.
1001=25, 1011=10
Made up of these values:
PricingInfo PricingCount
0000 Contains an int from 0-99
0001 Contains an int from 0-99
0010 Contains an int from 0-99
0011 Contains an int from 0-99
0100 Contains an int from 0-99
0101 Contains an int from 0-99
0110 Contains an int from 0-99
0111 Contains an int from 0-99
1000 Contains an int from 0-99
1001 Contains an int from 0-99
1010 Contains an int from 0-99
1011 Contains an int from 0-99
1100 Contains an int from 0-99
1101 Contains an int from 0-99
1110 Contains an int from 0-99
1111 Contains an int from 0-99
You may get the needed information with something like this:
... | stats count by PricingInfo
Great thanks!
But it just looks like this in Splunk 1100=4:
Timestamp=2015-03-18 07:07:31, Level=INFO, EventId=16007, ReqID=bcacbafd-bddb-49d4-8d36-a7445daf0fc6, 1100=4
I think search time field extraction will help you:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesearch-timefieldextractions
Two approaches:
first extract two fields:
... | rex "(?<PricingInfo>[0-1]{4})=(?<PricingCount>\d{0,1})" | ...
After this you can search like this:
... | PricingInfo="1100" PricingCount="4" | ...
OR
extract one field:
... | rex "(?<PricingField>[0-1]{4}=\d{0,1})" | ...
After this you can search like this:
... | PricingField="1100=4" | ...
give more detail
I have some Splunk logging that has a field (key) that represents a bitmask, and a value. There's a fixed number of bitmask combinations as listed in the PricingInfo column above. I need to do some counting of the values and have been unable to do so with the way the field is constructed. We would need to add a field to represent the bitmask values, and a field for the count such as above.