Splunk Search

Need help with Stats report

lain179
Communicator

I have hundreds of log files containing the following pattern. Basically, I need to create a report for each PROJECTNAME, with the column headers "Filtered", "Missed", "Directories", "New documents", etc.. The column values will be 0, 148, 0, 145, etc.

Following four are just examples - I have about 20 different types, and I need to capture and report the counts per PROJECTNAME. How do I do that?


[A1] Filtered : 0 <1 (12345)> SERVER.PROJECTNAME.Job

[A1] Missed : 148 <1 (12345)> SERVER.PROJECTNAME.Job

[A1] Directories : 0 <1 (12345)> SERVER.PROJECTNAME.Job

[A1] Total time : 0.5 ms <1 (12345)> SERVER.PROJECTNAME.Job


Thanks.

Tags (1)
0 Karma
1 Solution

jharty_splunk
Splunk Employee
Splunk Employee

Are you fields defined? If not you'll have to set your Search time field extractions:

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsatsearchtime

If you're not very familiar with regex try using the Interactive Field Extractor:
http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Managesearch-timefieldextractions#Review_s...

If the fields are setup just run the search:
| table Filtered, Missed, Directories, New documents

To output to file:
| table Filtered, Missed, Directories, New documents | outputcsv file.csv

View solution in original post

jharty_splunk
Splunk Employee
Splunk Employee

Are you fields defined? If not you'll have to set your Search time field extractions:

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsatsearchtime

If you're not very familiar with regex try using the Interactive Field Extractor:
http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Managesearch-timefieldextractions#Review_s...

If the fields are setup just run the search:
| table Filtered, Missed, Directories, New documents

To output to file:
| table Filtered, Missed, Directories, New documents | outputcsv file.csv

lain179
Communicator

I am very familiar with Regex. However, if I use regex to extract the pattern, "Filtered", "Missed", "Directories", and other 20+ labels become the values of a field variable rather than the fields themselves.

I can hard code 20+ times in field conf, but I am trying to avoid that if possible.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...