Solved: Need to shorten data and show it by count

sunnyparmar · ‎12-17-2017

Hi All,

I am executing query which is giving me the below result and I want to shorten the data and show in table format by total no. of count count. So what I want in table from the below result that is "code=200", "method=GET" and "SENDID=OSUUSPANKKI". Any insight would be appreciable. Thanks in advance

2017-12-18 07:26:50,357 [bwReqId=] [play-akka.actor.default-dispatcher-68163] [INFO ] [application] front-play - time=3ms code=200 method=GET remote_ip=85.76.XX.XX host=XXX.basware.com uri=/invoices/attachment/8fc60422e0de11e792e8f398?VERSION=0001&PMTREFNB=f171abc1-eef1-4cb3-a537-54ae4d638a65&TIMESTMP=2017-12-18-092641%2B02&KEYVERS=0001&ALG=0001&LANGCODE=1&SESSIONID=dGpohCr1yQJe-iKenar-&STATUS=Prod&SENDID=OSUUSPANKKI&PMTORIG=1&USERMAC=4901FF5EC300D405133A757F7FA0245B&MAC=B82F0BEECA1B8680CFD9889A94248EC9

andrey2007 · ‎12-17-2017

Hi, try this
[your search]

| rex field=_raw "^(?:[^=\n]*=){3}(?P<code>\d+)\s+\w+=(?P<method>[^ ]+)(?:[^&\n]*&){8}\w+=(?P<SENDID>\w+)"

and if you need count
| stats count by method SENDID code

View solution in original post

andrey2007 · ‎12-17-2017

Hi, try this
[your search]

| rex field=_raw "^(?:[^=\n]*=){3}(?P<code>\d+)\s+\w+=(?P<method>[^ ]+)(?:[^&\n]*&){8}\w+=(?P<SENDID>\w+)"

and if you need count
| stats count by method SENDID code

sunnyparmar · ‎12-18-2017

Could you please let me know how you made this possible by rex as I have tried also but didn't get succeed. Thank you so much

andrey2007 · ‎12-18-2017

You can do it using drop-down menu clicking Event Actions=>Extract fields with Regex generator to generate regexp.

Need to shorten data and show it by count

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...