regarding Search

rajgowd1 · ‎01-01-2017

HI,
we have log which has some key value pairs and one of the key is instance which has values like 0,1,2
when ever there is an issue,application logs displays instance 0 crashed,instance 0 STARTED instance 1 STOPPED

i am trying to display in scatter chart in x-axis time and in Y-Axis status like UPDATE,CRASHED,STARTED or STOPPED

here is the search i am trying with table but how can we show them in scatter

when i try to display in table with below search,for last column newmsg always displays UPDATE for all

here is the sample log

<6>2017-01-01T05:59:42Z 2ejoqs8tf0q doppler[20]: {"appid":"beaffaf8-28d8-4d2b-959b-c71a7547283f","appname":"demo-prod",
"ignoredapp":false,"orgid":"55c398bc-86d0-4443-ad97-1711fe264638","orgname":"LATAM-MX-DIGITAL","cf_origin":"firehose",
"space_id":"51e0484a-d642-4f37-b979-d40336913f8f","env":"CC-PORTAL-UAT3","deployment":"cf","event_type":"LogMessage",
"ip":"168.72.205.40","job":"cloud_controller-partition-a2833c853cfafee70104","job_index":"2","level":"info","messtype":"OUT",
"msg":"App instance exited with guid beaffaf8-28d8-4d2b-959b-c71a7547283f payload: {\"instance\"=\u003e\"d0bfa02d-43d8-439c-7d4b-d29cb9e13835\",
\"index\"=\u003e0, \"reason\"=\u003e\"CRASHED\", \"exit_description\"=\u003e\"2 error(s) occurred:\n\n* 2 error(s) occurred:\n\n* Codependent
step exited\n* cancelled\n* cancelled\", \"crash_count\"=\u003e134, \"crash_timestamp\"=\u003e1483250382557858527,
\"version\"=\u003e\"7e7e8a62-a249-4608-a69b-d55daf3947c6\"}","origin":"cloud_controller","source_instance":"2","source_type":"API",
"time":"2017-01-01T05:59:42Z","timestamp":1483250382577570779}

niketn · ‎01-01-2017

You would need to reconsider your regular expression for field extraction. Assuming msg field contains the reason information that you want to extract:

<Your Base Search>
| rex field=msg "reason\\\"\=\\(?<reasonCode>\w+)\\\"(?<newmsg>\w+)\\\"\," 
| table appname, time, source_instance, msg, newmsg 
| sort appname, time, source_instance, newmsg

If msg field does not have the reason as expected, you can replace msg with _raw i.e.

| rex field=_raw "reason\\\"\=\\(?<reasonCode>\w+)\\\"(?<newmsg>\w+)\\\"\,"

PS: Ideal you should move this to Field Extraction using Extract New Fields in Splunk Search or through Props.conf, once you have established that the regular expression is working as expected. For quick hints/testing regular expressions you can try regex101.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

rajgowd1 · ‎01-02-2017

Hi,
it throwing error when i replace the regular expression

| rex field=_raw "reason\\"=\(?\w+)\\"(?\w+)\\"\,"

Error in 'rex' command: Encountered the following error while compiling the regex 'reason\"=(?\w+)\"(?\w+)\"\,': Regex: unmatched parentheses

and i would like to show them in scatter graph,which i explained in my question.

rajgowd1 · ‎01-02-2017

i tried this search and got result with different states

eval newmsg="UPDATE" | rex field=_raw "(?CRASHED|STARTED|STOPPED)"

how can we show this scatter chart or in D3

x-axis as time and
y-axis as CRASHED,STARTED,STOPPED or UPDATE

rajgowd1 · ‎01-02-2017

regarding Search

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...