Solved: Regex Help in splunk 6.1.3

pavanae · ‎10-04-2015

The following were the different strings visible in my splunk search results…

"SYSTEM_USE_CD" : "C"
"SYSTEM_RSP_CD" : "0100"
"SYSTEM_STAT_CD" : "ACCEPT"

Now with the help of regex in my search string i want to display only these values and also want to see their stats count for these three of them like

system_cd Count

"SYSTEM_USE_CD" : "C" (some count)
"SYSTEM_RSP_CD" : "0100" (some count)

"SYSTEM_STAT_CD" : "ACCEPT" (some count)

Please help me how to display these stats from a splunk search with the help of regex

alacercogitatus · ‎10-05-2015

You could do something like this:

<your_search> | rex field=_raw "SYSTEM_(?<system_cd>[^_]+)_CD.\s*:\s*\"(?<system_cd_value>[^\"]+)" | stats count by system_cd system_cd_value

You will probably also want to auto-extract these as well, it will keep your searches clean.

View solution in original post

alacercogitatus · ‎10-05-2015

You could do something like this:

<your_search> | rex field=_raw "SYSTEM_(?<system_cd>[^_]+)_CD.\s*:\s*\"(?<system_cd_value>[^\"]+)" | stats count by system_cd system_cd_value

You will probably also want to auto-extract these as well, it will keep your searches clean.

pavanae · ‎10-05-2015

Worked Great Thanks..

echalex · ‎10-05-2015

Hi,

Can you post some sample lines? It is not completely clear from the context what sort of regex would do the trick.

Regex Help in splunk 6.1.3

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!