Getting Data In

Need help with log having multiple occurrence of same field

abishekmaggo
New Member

I have following logs where field4 is coming twice in each log line.

Example:
2018-04-06T23:01:36.264+0000 logLevel=INFO Response=(( filed1=XXX, field2=ZZZZ), field3=jeSession, field4=abc_xxx, field6=ddd.com, field6=)) field7=service1 field4=xyz_xxx field8=ser1
2018-04-06T23:01:36.264+0000 logLevel=INFO Response=(( filed1=YYY, field2=ZZZZ1), field3=tuSession, field4=abc_yyy, field6=ccc.com, field6=)) field7=service2 field4=xyz_yyy field8=ser2

How I can make sure it always pick first field4 for value (one with value as "acd_xxx", "abc_yyy"). I tried using mvindex but it works with multiple value in field itself (e.g. field4=xxx,yyy)

I want to display count by first field4 only

index=XXXXX | eval res=mvindex(field4,0) | stats count by res

Tags (3)
0 Karma

niketn
Legend

@abishekmaggo, first occurrence of field4 is followed by field6 while the second occurrence of field4 is followed by field8. So maybe you can use that to your advantage.

<yourBaseSearch>
| rex "field4=(?<field4>[^,]+),field6="
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

adonio
Ultra Champion

hello there,

i am positive there other ways to solve it, here is a quick one assuming your data looks always like your samples
use the |rex command to point only to your first field4 maybe something like this:

index = XXXXX
| rex "field3=\S+,\sfield4=(?<field4>\S+),"
| stats count by field4

see link:
https://regex101.com/r/uMivWN/1
note: my regex might not be the best one

hope it helps

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...