Splunk Search

How to edit my search to extract numeric values with rex and create a line chart?

sankarms
Explorer

I have thousands of log files that look like this

[27/Oct/2016:20:08:57 --0700] WBLBSdFyTFYAAHPuH1kAAAAM
Content-length: 0

The logs contain a: timestamp, unique request id, and length of the content. I want to make a line chart that shows the content-length on the y-axis and the request on the x-axis so you can see over a span of time, what were all the content-lengths received. I first tried to count the lengths with this search:

"Content-length: " | rex  (?<length>\d+) | stats count(length)

In English, I'm trying to say "you have 5 requests with a content length of 0, 10 requests with a content length of 5, etc etc". What am I doing wrong?

0 Karma
1 Solution

niketn
Legend

@Sankarms, slight change to your search, I think events are being counted by their length:

Your base search "Content-length: " | rex  field=_raw "Content-length:\s+(?<length>\d+)" | stats count by length
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@Sankarms, slight change to your search, I think events are being counted by their length:

Your base search "Content-length: " | rex  field=_raw "Content-length:\s+(?<length>\d+)" | stats count by length
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

adamsaul
Communicator

Sankarms,

Here is an example you can paste directly into your Splunk search bar, to extract the length found and label it as 'length':

| makeresults | eval example="[27/Oct/2016:20:08:57 --0700] WBLBSdFyTFYAAHPuH1kAAAAM Content-length: 0" | rex field=example "Content-length:\s*(?<length>\d+)"

If the content above looks good, your search should be as follows:

"Content-length: " | rex field=_raw "Content-length:\s*(?<length>\d+)" | stats count(length)
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...