I have hundreds of log files containing the following pattern. Basically, I need to create a report for each PROJECTNAME, with the column headers "Filtered", "Missed", "Directories", "New documents", etc.. The column values will be 0, 148, 0, 145, etc.
Following four are just examples - I have about 20 different types, and I need to capture and report the counts per PROJECTNAME. How do I do that?
[A1] Filtered : 0 <1 (12345)> SERVER.PROJECTNAME.Job
[A1] Missed : 148 <1 (12345)> SERVER.PROJECTNAME.Job
[A1] Directories : 0 <1 (12345)> SERVER.PROJECTNAME.Job
[A1] Total time : 0.5 ms <1 (12345)> SERVER.PROJECTNAME.Job
Thanks.
Are you fields defined? If not you'll have to set your Search time field extractions:
http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsatsearchtime
If you're not very familiar with regex try using the Interactive Field Extractor:
http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Managesearch-timefieldextractions#Review_s...
If the fields are setup just run the search:
| table Filtered, Missed, Directories, New documents
To output to file:
| table Filtered, Missed, Directories, New documents | outputcsv file.csv
Are you fields defined? If not you'll have to set your Search time field extractions:
http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsatsearchtime
If you're not very familiar with regex try using the Interactive Field Extractor:
http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Managesearch-timefieldextractions#Review_s...
If the fields are setup just run the search:
| table Filtered, Missed, Directories, New documents
To output to file:
| table Filtered, Missed, Directories, New documents | outputcsv file.csv
I am very familiar with Regex. However, if I use regex to extract the pattern, "Filtered", "Missed", "Directories", and other 20+ labels become the values of a field variable rather than the fields themselves.
I can hard code 20+ times in field conf, but I am trying to avoid that if possible.