Splunk Search

Eval on a string and stats

nbharadwaj
Path Finder

I have a several log lines like this:

X:20100507193758.385:50:INFO:DTM:AppServerStartupTaskManager-pool-1-thread-1:Release Version Information Release Name: 164.18.1 Deployment Changelist:

How do I parse this to report on the Release Name string? I want to generate stats on how many releases I have had in a month/quarter.

Something like this does not give me what I want, I have to input some regular expressions here I think:

index="x" "Release Name: 164." | eval releaseName="Release Name: 164.*" | stats distinct_count(hosts) by releaseName, instance

Tags (1)
0 Karma
1 Solution

dwaddle
SplunkTrust
SplunkTrust

Use a regular expression (regex) to extract this as a search-time field. Try something like

 index="x" | rex field=_raw "Release Name: (?<release_name>[^\s]+)" | stats distinct_count(hosts) by release_name, instance

You may want to review the docs at http://www.splunk.com/base/Documentation/4.0.10/Knowledge/Addfieldsatsearchtime

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

Use a regular expression (regex) to extract this as a search-time field. Try something like

 index="x" | rex field=_raw "Release Name: (?<release_name>[^\s]+)" | stats distinct_count(hosts) by release_name, instance

You may want to review the docs at http://www.splunk.com/base/Documentation/4.0.10/Knowledge/Addfieldsatsearchtime

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...