I have a several log lines like this:
X:20100507193758.385:50:INFO:DTM:AppServerStartupTaskManager-pool-1-thread-1:Release Version Information Release Name: 164.18.1 Deployment Changelist:
How do I parse this to report on the Release Name string? I want to generate stats on how many releases I have had in a month/quarter.
Something like this does not give me what I want, I have to input some regular expressions here I think:
index="x" "Release Name: 164." | eval releaseName="Release Name: 164.*" | stats distinct_count(hosts) by releaseName, instance
Use a regular expression (regex) to extract this as a search-time field. Try something like
index="x" | rex field=_raw "Release Name: (?<release_name>[^\s]+)" | stats distinct_count(hosts) by release_name, instance
You may want to review the docs at http://www.splunk.com/base/Documentation/4.0.10/Knowledge/Addfieldsatsearchtime
Use a regular expression (regex) to extract this as a search-time field. Try something like
index="x" | rex field=_raw "Release Name: (?<release_name>[^\s]+)" | stats distinct_count(hosts) by release_name, instance
You may want to review the docs at http://www.splunk.com/base/Documentation/4.0.10/Knowledge/Addfieldsatsearchtime