How I can create a search with more than one field...

mstachul · ‎06-27-2016

Hello,

I have logs in this format:

2016-06-27 21:35:50 (123456789467056149): string11 creating to String12:
a1  3
a2  1
a3  -12
a4  12345678

2016-06-27 21:35:51 (987654321123033111): string21 creating to String22:
a1  7
a2  11
a3  -36
a4  23456789

I want to create a search with results in the format:

a4   count(String12)   count(String22)
12345678    7                5
23456789   1                 3

Could anyone you help me create search?

diogofgm · ‎07-04-2016

Just create the extractions to create the fields you need

Your search | rex "creating to (?<service>[^\:]) | rex "a4\s+(?<a4>[\d]*) | chart count over service by a4

You can make the extractions also in you sourcetype definition on props.conf

------------
Hope I was able to help you. If so, some karma would be appreciated.

mstachul · ‎06-30-2016

Thank you for your interest in the topic 🙂

a4 shows 8 sign long digital string (in example was otherwise, I corrected it) - formated: a4\t12345678
Not all in logs looks the same, but for sought events are the same.
I'm searching how often in log for unique a4 can find different service names (in example was String12, String22, etc.) in the analyzed period.

It's more clearly?

maciep · ‎06-28-2016

can you explain the logic behind the search results you want? how did you get those final numbers based on the first set of numbers? are any of those fields already extracted in your data? Does each event in Splunk contain the timestamp and the a1-a4 lines?

How I can create a search with more than one field from specific logs format?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life