As @bmacias84 implied, you put it together like this:
index=doccloud_main sourcetype=doccloud_sb | rex "documentcloud\.rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)" | stats count by document_action
As @bmacias84 implied, you put it together like this:
index=doccloud_main sourcetype=doccloud_sb | rex "documentcloud\.rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)" | stats count by document_action
I tried to put it together with the document actions as mentioned, and the search did not work. I get the error mesage
Error in 'rex' command: Encountered the following error while compiling the regex '(?<service>EmployeeDocumentServicesImpl\.(?<document_action>listDocuments()|getDocumentPDF()|getDocument()[^\(]+)': Regex: missing )
The code i tried to execute is as follows:
index=doccloud_main sourcetype=doccloud_sb | rex "(?<service>EmployeeDocumentServicesImpl\.(?<document_action>listDocuments()|getDocumentPDF()|getDocument()[^\(]+)" | stats count by document_action
I should have tested his RegEx. This works:
documentcloud\.rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)
I have updated my answer.
I was kind of wondering if I could tweak this further(graphically) so it displays each of the actions mentioned above on a day-to-day basis. For example, it would show a count of how many documents added, updated, downloaded, view, e.t.c daily.
Is that possible?
Yes, like this:
index=doccloud_main sourcetype=doccloud_sb | rex "documentcloud.rs.services.(?[^.]+).(?[^(]+)" | timechart span=1d count by document_action
I get one giant bar of null when executing:
index=doccloud_main sourcetype=doccloud_sb | rex "documentcloud\.rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)" | timechart span=1d count by document_action
I think it just added everything into one bar
Did you run your search for more than 1 day? I told it to bucket by days. If you would like to run a shorter search and bucket by hours, switch span=1d
to span=1h
.
I tried for one day and for 30 days and get the same result. I want the total count of each action on a day to day basis for the past 30 days.
The problem is probably your scale; one of the values ( null
?) is so large that it drowns out the other bars. Change the Y-axis format from "linear" to "log" and you should see all the bars. If it is null
that is killing you, you can strip it out like this:
index=doccloud_main sourcetype=doccloud_sb | rex "documentcloud\.rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)" | where isnotnull(document_action) | timechart span=1d count by document_action
WORKS BETTER THAN A DREAM!
EXCELLENT!!!
@splunkman341, Your regex is invalid. ( and ) are part of the regex syntax used for group you have to escape them. I recommend that you visit http://www.regular-expressions.info. If you would like service checkout my update regex statement.
EmployeeDocumentServicesImp.getDocument() is one of the three actions
@splunkman341, If you simply looking for a regex that will extract document action the following will work.
...| rex field=_raw "EmployeeDocumentServicesImpl\.(?<document_action>[^\(]+)" | stats count by document_action
Updated to include service as extracted group.
...| rex field=_raw "rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)" | stats count by document_action
Both work on all samples provided and match in under 25 steps.