Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I not receiving results when a value contains a with period and underscore?

saikamaldidigam
New Member
‎02-06-2017 09:21 AM

I would like to show results group by "SLA Request Key". I am able to view sample Data-2 but not Sample Data-1

Sample Data-1:
{"key":"SLA Request Key","value":"mls.ILSP_CONTNR_SKU_INSERT"}]}

Sample Data-2:
{"key":"SLA Request Key","value":"GetPickGroupsByBinLocation"}]}

index = xyz "Database Call Exceeded SLA" | rex field=_raw "SLA Request Key\",\"value\":\"(?\\w+)\"}]}" | stats count by slaKey

when i run this search, i am only getting the results for Sample Data-2(GetPickGroupsByBinLocation) not "mls.ILSP_CONTNR_SKU_INSERT" this. I assume this is not parsing stats count by when value is combined with Dot and Underscore

Can any one please help me?

Thanks in Advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-06-2017 09:39 AM

Your regex string is only looking for word characters (letters, numbers, and underscores) so periods don't match. Try 

... | rex "SLA Request Key\",\"value\":\"(?<field>[\.\w]+)\"}]}" | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎02-06-2017 10:28 AM

Since you are having json, why don't you use spath in your search? I would suggest put the extraction in the props.conf. Any how answering your question, try...

 your base search   | spath | stats c by key

Sample search ..

|stats c | eval _raw="{\"key\":\"SLA Request Key\",\"value\":\"mls.ILSP_CONTNR_SKU_INSERT\"}]}" | append [|stats c | eval _raw="{\"key\":\"SLA Request Key\",\"value\":\"GetPickGroupsByBinLocation\"}]}" ] | spath | stats c by key
V
0 Karma
Reply
Solved! Jump to solution

saikamaldidigam
New Member
‎02-06-2017 02:10 PM

Thank you so much for your reply.

But your solution is not the one exactly which i am looking for.

Though this will be incredibly useful for me in future.

Thanks again for your valuable response.

0 Karma
Reply
Solved! Jump to solution

saikamaldidigam
New Member
‎02-06-2017 02:16 PM

If you can give me solution for your reply

"your base search | spath | stats c by key"

There are many keys in my raw data i was looking for key "SLA Request Key" and i want to exclude remaining keys and i want stats count by key
something like this

"my Base search ""SLA Request Key"" | spath | stats c by key -remove key2, key3 .........keyn"

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-06-2017 09:39 AM

Your regex string is only looking for word characters (letters, numbers, and underscores) so periods don't match. Try 

... | rex "SLA Request Key\",\"value\":\"(?<field>[\.\w]+)\"}]}" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

saikamaldidigam
New Member
‎02-06-2017 02:09 PM

Thank you so much it worked for me !

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...