Need help with log having multiple occurrence of s...

abishekmaggo · ‎04-06-2018

I have following logs where field4 is coming twice in each log line.

Example:
2018-04-06T23:01:36.264+0000 logLevel=INFO Response=(( filed1=XXX, field2=ZZZZ), field3=jeSession, field4=abc_xxx, field6=ddd.com, field6=)) field7=service1 field4=xyz_xxx field8=ser1
2018-04-06T23:01:36.264+0000 logLevel=INFO Response=(( filed1=YYY, field2=ZZZZ1), field3=tuSession, field4=abc_yyy, field6=ccc.com, field6=)) field7=service2 field4=xyz_yyy field8=ser2

How I can make sure it always pick first field4 for value (one with value as "acd_xxx", "abc_yyy"). I tried using mvindex but it works with multiple value in field itself (e.g. field4=xxx,yyy)

I want to display count by first field4 only

index=XXXXX | eval res=mvindex(field4,0) | stats count by res

niketn · ‎04-07-2018

@abishekmaggo, first occurrence of field4 is followed by field6 while the second occurrence of field4 is followed by field8. So maybe you can use that to your advantage.

<yourBaseSearch>
| rex "field4=(?<field4>[^,]+),field6="

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

adonio · ‎04-06-2018

hello there,

i am positive there other ways to solve it, here is a quick one assuming your data looks always like your samples
use the |rex command to point only to your first field4 maybe something like this:

index = XXXXX
| rex "field3=\S+,\sfield4=(?<field4>\S+),"
| stats count by field4

see link:
https://regex101.com/r/uMivWN/1
note: my regex might not be the best one

hope it helps

Need help with log having multiple occurrence of same field

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life