Splunk Search

How do you retrieve names in comments using regex?

ramesh12345
Explorer

Hi,

index="os" sourcetype="test"  CaseNumber=*| dedup _time,CaseNumber  | rex field=Notes "(?\d+-\d+-\d+\s*\d+:\d+:\d+)\s*\-\s*(?\w*\W*\w*\s*\w*\s*\(\d+\))\s*"

The above query displays the lastupdated user. But I want to display all names from the comments

EX:

2019-03-07 11:48:12 - one (1234513241) (Case Notes (Comments Visible )) data in not loading
2019-03-07 12:48:12 - two (2345132421) (Case Notes (Comments Visible)) error occured
2019-03-06 14:48:12 - three (3451324143) (Case Notes (Comments Visible)) testing
2019-03-06 15:48:12 - one (5513241321) (Case Notes (Comments Visible)) case in progress
2019-03-06 17:48:12 - four (2416575443) (Case Notes (Comments Visible)) filter option
2019-03-06 18:48:12 - five (4154678765) (Case Notes (Comments Visible)) data loading

This is for one case. After date is names of the persons. So I want to display all names who commented for that case.

Ex:Casenumber is 1111

1111 one (1234513241) two (2345132421) three (3451324143) four (2416575443) five (4154678765) like this

How do I write the regular expression to do this?

Tags (3)
0 Karma
1 Solution

vnravikumar
Champion

Hi @ramesh12345

Try this

| makeresults 
| eval comments="2019-03-06 15:48:12 - one (5513241321) (Case Notes (Comments Visible)) case in progress" 
| rex field=comments "\s-\s(?P<name>[\w]*\s\(\w*\))"

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@ramesh12345 ,

Based on your sample data , try

"your search"
| rex "-\s(?<Names>\w+\s\(\d+\))"
| stats values(Names) as Names by Casenumber 
| nomv Names 
Happy Splunking!
0 Karma

ramesh12345
Explorer

Hi,
With you query i am getting names who worked on that particular case.But My requirement is to display single person completed cases.
Ex: Case:1 name: raju
Case:2 name:raju,ramu,rakesh
Case:3 name:ramu,rakesh,rahul,raju

so the requirement is single peron completed cases.

Here raju only worked on one case.so raju count is 1

In multiple cases he involved: raju count is 2

index="os" sourcetype="Service" CaseNumber=* status=* assignment=* |dedup _time,CaseNumber,assignment|streamstats current=f last(assignment) as lg, last(active) as Active by CaseNumber|lookup L1Team.csv SSO as assigned_to OUTPUT TeamName| eval is_escalated= if(assignment!=lg AND assignment_group="Sustaining",1,NULL) |eval is_resolved=if(assignment="Sustaining" AND status="Complete" AND (isnull(Active) OR Active="true"),1,NULL)|stats count(is_escalated) AS "Escalated Cases" count(is_resolved) AS "Resolved Cases" by assigned_to,TeamName| fields - TeamName

with this query iam getting only who closed this case.that number is assigned to that case.
i want to display like above what i explained.Please help how to do this

0 Karma

vnravikumar
Champion

Hi @ramesh12345

Try this

| makeresults 
| eval comments="2019-03-06 15:48:12 - one (5513241321) (Case Notes (Comments Visible)) case in progress" 
| rex field=comments "\s-\s(?P<name>[\w]*\s\(\w*\))"
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...