Solved: How to generate a search for specific words in row...

jw44250 · ‎01-17-2017

My search result is like this :

result 1
. message hello test helo test

result 2
. message hello test helo test

result3
. message hello test helo test

count or group by message1, message 2

lguinn2 · ‎01-17-2017

First, you can't create a variable with a name that starts with underscore (_).
Here is a way to group them and report; this answer includes some of the ideas in the comments as well.

index=index1 "message hello1" OR "message hello2" plus whatever else belongs in your search
| rex "message\s(?<message>.{1,20})"
| eval message=case (isnull(message),"No message",
            match(_raw,"hello1") OR user="admin","Msg 3",
            match(_raw,"hello2"),"Msg 2",
            match(_raw,"hello1"),"Msg 1" )
| stats count by message

First, the rex command looks at the raw text for the word "message" followed by a space, and then collects the following 20 characters (or less if there aren't 20 characters remaining on the line).
Next, the eval command checks for a number of conditions: is the message field null (meaning that there was no match in the rex command), does it match one of several patterns? Notice that the tests are executed in order, and the first true condition determines the new value of message. If none of the conditions are true, the value of message is unchanged. This gives you the ability to further categorize the data if you wish. If not, you can leave out the entire eval command.
Finally, the stats command counts the number of occurrences of each message.

View solution in original post

DalJeanis · ‎06-14-2017

@jw44250 - did you ever get a solution to this one?

jw44250 · ‎06-15-2017

Yes..thanks from everyone...sorry been busy with work..

DalJeanis · ‎01-18-2017

This question is extremely vague and not well-formed. It's not possible to give you code to solve your issue if the structure of the data isn't understood accurately.

1) Is there a field that is the one that contains the word message, or are we checking the _raw event data?

2) If the details of the message location can vary widely, please explain in English how exactly YOU (as a human) would determine that two messages inside the _raw data were exactly the same? What would you use as the boundaries of the "message" part of the _raw data?

3) If the value of the whole message is to be extracted from _raw data, then please show us two entire messages -- different but similar -- with all the timestamps and other field markers present. You can obfuscate the data as needed -- replace the hostnames with "myhost", usernames with "myusername" etc. Once we see this, we can code you a regular expression to pull out the message data.

As a general case, I'm assuming that we are aiming for something like this -

index=myindex [your original search] | search "message" 
| rex field=_raw "some regular expression that pulls out (?<TheMessage>.*) and leaves out stuff that isn't the message..."
| stats count by TheMessage

nabeel652 · ‎01-17-2017

assuming in your results "result_field" starts with word message and ends with last word of the message. I have assumed that your result field can start with
message ...
message= ...
message = ... etc

Blockquote

 your search ...   | rex field=result_field "message\s*\=*\s*(?<Msg>.*)$" | stats count by Msg

Blockquote

jw44250 · ‎01-17-2017

where you are getting this data "field=result_field" ... it will not work since i dont have any field or unique anything...its just a stamement like "This message from john"

jw44250 · ‎01-17-2017

The message can appear any place ...these statements comes from logs files
Suppose you have statements like:

Result 1
"This message from john."

Result 2
"Message sorry boss not wrong data"

Result
"Pls correct your message before going forward"

jw44250 · ‎01-17-2017

Result 4
"This message from john."

Result 5
"Message sorry boss not wrong data"

Result 5
"Pls correct your message before going forward"

Group Message A => 1 and 4 = "This message from john"
Group Message B => 2 & 5 " = "Message sorry boss not data"
Group Message C = 3 & 6 result "pls correct your message before going forward"

lguinn2 · ‎01-17-2017

First, you can't create a variable with a name that starts with underscore (_).
Here is a way to group them and report; this answer includes some of the ideas in the comments as well.

index=index1 "message hello1" OR "message hello2" plus whatever else belongs in your search
| rex "message\s(?<message>.{1,20})"
| eval message=case (isnull(message),"No message",
            match(_raw,"hello1") OR user="admin","Msg 3",
            match(_raw,"hello2"),"Msg 2",
            match(_raw,"hello1"),"Msg 1" )
| stats count by message

First, the rex command looks at the raw text for the word "message" followed by a space, and then collects the following 20 characters (or less if there aren't 20 characters remaining on the line).
Next, the eval command checks for a number of conditions: is the message field null (meaning that there was no match in the rex command), does it match one of several patterns? Notice that the tests are executed in order, and the first true condition determines the new value of message. If none of the conditions are true, the value of message is unchanged. This gives you the ability to further categorize the data if you wish. If not, you can leave out the entire eval command.
Finally, the stats command counts the number of occurrences of each message.

jw44250 · ‎01-17-2017

there is no unique field ,

somesoni2 · ‎01-17-2017

Is the message field already extracted? If not, share some sample result so that we can suggest a regex for it to extract. After the fields extraction, you could simply use ...| stats count by messagetype of commands.

jw44250 · ‎01-17-2017

index= index1 "message"

message can appear anywhere, start of paraph, midd, end,etc

Query Result

"message hello1"

message=" message hello2";

message="message hello1"

message="hello message test"

message="mikale"

jw44250 · ‎01-17-2017

actually needed to group them

"message hello1"
message=" message hello2";
message="hello message test"
message="mikale"
there is not unique field.. i want make new field and
do something like

_row="subtring(message) 0-20 characters as meesage

aaraneta_splunk · ‎01-17-2017

@jw44250 - It would be helpful if you were to provide the search you're already using. Also, the more information you provide in your post, the greater chance of it being answered with a working solution.

How to generate a search for specific words in row data?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk