Splunk Search

How to edit my search to find the total count for three different actions?

splunkman341
Communicator

Hi guys,

I wanted to know how I would go about getting the total count for each document action over the past 30 days. The document actions are as follows:

BROWSE DOCUMENTS

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

As @bmacias84 implied, you put it together like this:

index=doccloud_main sourcetype=doccloud_sb | rex "documentcloud\.rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)" | stats count by document_action

View solution in original post

woodcock
Esteemed Legend

As @bmacias84 implied, you put it together like this:

index=doccloud_main sourcetype=doccloud_sb | rex "documentcloud\.rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)" | stats count by document_action

splunkman341
Communicator

I tried to put it together with the document actions as mentioned, and the search did not work. I get the error mesage

Error in 'rex' command: Encountered the following error while compiling the regex '(?<service>EmployeeDocumentServicesImpl\.(?<document_action>listDocuments()|getDocumentPDF()|getDocument()[^\(]+)': Regex: missing )

The code i tried to execute is as follows:

index=doccloud_main sourcetype=doccloud_sb | rex "(?<service>EmployeeDocumentServicesImpl\.(?<document_action>listDocuments()|getDocumentPDF()|getDocument()[^\(]+)" | stats count by document_action
0 Karma

woodcock
Esteemed Legend

I should have tested his RegEx. This works:

documentcloud\.rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)

I have updated my answer.

splunkman341
Communicator

I was kind of wondering if I could tweak this further(graphically) so it displays each of the actions mentioned above on a day-to-day basis. For example, it would show a count of how many documents added, updated, downloaded, view, e.t.c daily.

Is that possible?

0 Karma

woodcock
Esteemed Legend

Yes, like this:

index=doccloud_main sourcetype=doccloud_sb | rex "documentcloud.rs.services.(?[^.]+).(?[^(]+)" | timechart span=1d count by document_action

splunkman341
Communicator

I get one giant bar of null when executing:

index=doccloud_main sourcetype=doccloud_sb | rex "documentcloud\.rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)" | timechart span=1d count by document_action

I think it just added everything into one bar

0 Karma

woodcock
Esteemed Legend

Did you run your search for more than 1 day? I told it to bucket by days. If you would like to run a shorter search and bucket by hours, switch span=1d to span=1h.

splunkman341
Communicator

I tried for one day and for 30 days and get the same result. I want the total count of each action on a day to day basis for the past 30 days.

0 Karma

woodcock
Esteemed Legend

The problem is probably your scale; one of the values ( null ?) is so large that it drowns out the other bars. Change the Y-axis format from "linear" to "log" and you should see all the bars. If it is null that is killing you, you can strip it out like this:

 index=doccloud_main sourcetype=doccloud_sb | rex "documentcloud\.rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)" | where isnotnull(document_action) | timechart span=1d count by document_action

splunkman341
Communicator

WORKS BETTER THAN A DREAM!

0 Karma

splunkman341
Communicator

EXCELLENT!!!

0 Karma

bmacias84
Champion

@splunkman341, Your regex is invalid. ( and ) are part of the regex syntax used for group you have to escape them. I recommend that you visit http://www.regular-expressions.info. If you would like service checkout my update regex statement.

0 Karma

splunkman341
Communicator

EmployeeDocumentServicesImp.getDocument() is one of the three actions

0 Karma

bmacias84
Champion

@splunkman341, If you simply looking for a regex that will extract document action the following will work.

...| rex field=_raw "EmployeeDocumentServicesImpl\.(?<document_action>[^\(]+)" | stats count by document_action

Updated to include service as extracted group.

...| rex field=_raw "rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)" | stats count by document_action

Both work on all samples provided and match in under 25 steps.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...