Splunk Search

Grouping based on Regex and occurences of language

jaango123
Engager

Hi,

I am new to Splunk and I managed to construct the below query to generate statistics with the help of the answer from richgalloway user.
I just want to group by the language and calculate the count of such occurences.

sample log, the url link starts with http, as I cant post any links directly now.

Aug 03 07:53:34 servername_APP_LOG [IN_PROD][12345678][APP_LOG][note] abc(NewService): Id(125678)[RESP][1.2.3.4] Globid(45678912): REQ=ABC.ElectronicsService,Customer=JIKL,NUM=34872,HTTPRES="200 OK",Fromcache=true,Result="",Op_name=ABCElectronicsService.getallpages.v1.0,Receive=Accepted,Policy=onepermin,Value=345,time=1,spent=2,Size=2,RspSize=123,Format=json,Actual=,remaining=2.3.4.5,Rest="GET url starting with http/salo/vbghj/gr/gr/val/prot/34567",Rwe="",Notice="",GH="version 1.1"

My current query(query is fine) by the help of richgalloway user in my previous question

"[APP_LOG]" "[IN_PROD]"
 | rex "https?:\/\/.*?\/.*?\/(?<language>\w\w\/\w\w)\/"
 | rex "rest=\"(?<Request>\w+)"
 | stats count as RequestCount count(Customer=*) count(eval(HTTPRES="200 OK")) as SuccessCount count(eval(HTTPRES!="200 OK")) as FailureCount values(language) as Language values(Request) as Request by Customer, REQ
 | table Customer, REQ, RequestCount, SuccessCount, FailureCount, Request, Language

I would like to get the table as follows, difference is just to get the count based on language instead of Requestcount and get the corresponding language.

 Customer  REQ                       Countperlanguage           SuccessCount   Failure  Request          Language
   JIKL            ABC.ElectronicsService     3                        5                    3           2         GET                gr/gr

Tried like below grouping but it dint work.

   "[APP_LOG]" "[IN_PROD]"
 | rex "https?:\/\/.*?\/.*?\/(?<language>\w\w\/\w\w)\/"
 | rex "rest=\"(?<Request>\w+)"
 | stats count as RequestCount count(Customer=*) count(eval(HTTPRES="200 OK")) as SuccessCount count(eval(HTTPRES!="200 OK")) as FailureCount values(language) as Language values(Request) as Request by Customer, REQ, Language
 | stats count as langcount count(Language)
 | table Customer, REQ, langcount, SuccessCount, Failure, Request, Language
Tags (2)
0 Karma

niketn
Legend

@jaango123, seems like you just need to remove | stats count as langcount count(Language) from your query. You already have applied Language in your aggregate by clause in previous stats command.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jaango123
Engager

Yeah... But that failed saying Language cannot be used as it is same as the field name.
" The output field 'Language' cannot have the same name as a group-by field"

0 Karma

niketn
Legend

Take out values(language) as Language from your second last stats command. You already have aggregation by Language field in the same stats command.

  | stats count as RequestCount count(Customer=*) count(eval(HTTPRES="200 OK")) as SuccessCount count(eval(HTTPRES!="200 OK")) as FailureCount values(Request) as Request by Customer, REQ, Language
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jaango123
Engager

Awesome... Yeah this one worked.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi jaango123,
sorry but I don't understand where do you want to apply your regexes: in you sample there isn't any "rest" or "https" words.
If you don't set a field, rex command searches on _raw and in your sample there aren't events that match regexes.
So could you share another sample to try regexes or better explain your request?
if you want to insert in your comment an url use Code Sample button (101 010).

Bye.
Giuseppe

0 Karma

jaango123
Engager
 Aug 03 07:53:34 servername_APP_LOG [IN_PROD][12345678][APP_LOG][note] abc(NewService): Id(125678)[RESP][1.2.3.4] Globid(45678912): REQ=ABC.ElectronicsService,Customer=JIKL,NUM=34872,HTTPRES="200 OK",Fromcache=true,Result="",Op_name=ABCElectronicsService.getallpages.v1.0,Receive=Accepted,Policy=onepermin,Value=345,time=1,spent=2,Size=2,RspSize=123,Format=json,Actual=,remaining=2.3.4.5,rest="GET http://salo/vbghj/gr/gr/val/prot/34567",Rwe="",Notice="",GH="version 1.1"
0 Karma

jaango123
Engager

Thanks Here above is the sample that can be used. My first query worked. However I wanted to group the Language(regex) and get the count of it.
The second query when I try I get - The output field 'Language' cannot have the same name as a group-by field

0 Karma

gcusello
SplunkTrust
SplunkTrust

could you share an example where there is rest?
Bye.
Giuseppe

0 Karma

jaango123
Engager

It is there in the above example - ..............,rest="GET http://salo/vbghj/gr/gr/val/prot/34567",Rwe="",Notice="",GH="version 1.1"

0 Karma

gcusello
SplunkTrust
SplunkTrust

sorry but I don't understand your need.
and the second stats is strange, maybe do you need | stats count as langcount by Language ?
Anyway, after a stats command you have only the fields of the stats command, so after the second one you have only langcount and language, if you want also the other fields you have to add values(<field>) AS field for each field you want, something like this:

| stats values(Customer) AS Customer values(REQ) AS REQ values(SuccessCount) AS SuccessCount values(Failure) AS Failure values(Request) AS Request count as langcount by Language

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...