I am attempting to do this search:
host = pesweb* "payment via manually entered card" | stats count by users
My data looks like:
2014-05-15 13:20:08,728 INFO [resin-port-foo port pdeur: foo port invoice.AcquireInvoiceLifeCycleManager (AcquireInvoiceLifeCycleManager.java) - payment via manually entered card: user/amt/invoice = pdeur/foo123
The bold is the user id associated to these event, but when i attempt the above search it doesn't detect that as a user id.
My questions is how may i make it do so? Should i use some type of field extract? My end gold is to be able to see which user's are doing this method and allow our customer support team to reach out to these customers and see why they are entering this information manually.
Thanks in advance splunk community!
Hi apalen,
based on your provided examples, try something like this:
your base search here | rex field="_raw" "user/amt/invoice\s=\s(?<myUser>[\w\d]{3,10})" | table myUser
this will create a new field named myUser
if this matches your needs you can use this as automatic field extraction.
hope this helps ...
cheers, MuS
oh sorry, the user id's are tag at the beginning and end.
foo
foo123
Hi apalen,
based on your provided examples, try something like this:
your base search here | rex field="_raw" "user/amt/invoice\s=\s(?<myUser>[\w\d]{3,10})" | table myUser
this will create a new field named myUser
if this matches your needs you can use this as automatic field extraction.
hope this helps ...
cheers, MuS
Thanks MuS, I will try this!
And the user Id in these logs is "11950843","11950841" etc OR "ENC11950843","ENC11950841"?
user id's can be a combination of alphanumeric values between 3 and 10 digits.
[foo123:10095 aaaZ5kH3likxE8fFvwfyu ENC11950841] invoice.AcquireInvoiceLifeCycleManager (AcquireInvoiceLifeCycleManager.java:1671) - payment via manually entered card: user/amt/invoice = foo123/2681/11950841
[foo:2513 aaaVBhyhrcPFc5cFUGfyu ENC11950843] invoice.AcquireInvoiceLifeCycleManager (AcquireInvoiceLifeCycleManager.java:1671) - payment via manually entered card: user/amt/invoice = foo/5000/11950843
Here is a snippet of our logs, i have scrubed some of the data
2014-05-16 11:01:51,065 INFO [ foo:10598 aaaJQk5ZSIo446szyJfyu ENC11945241] invoice.AcquireInvoiceLifeCycleManager (AcquireInvoiceLifeCycleManager.java:1671) - payment via manually entered card: user/amt/invoice = foo/2925/11945241
2014-05-16 11:01:25,165 INFO [ ] invoice.AcquireInvoiceLifeCycleManager (AcquireInvoiceLifeCycleManager.java:1671) - payment via manually entered card: user/amt/invoice = null/27155/11951016
Or provide some more sample events (to cover all possibilities) and Splunkers can help you will regex.
You can use Splunk's inbuild Field Extractor for the same. (In event view of the data, click on small triangle on the left of event [Event options menu] and select 'Extract fields'. provide example values and click on generate. You can save the field extraction from there as well)
http://docs.splunk.com/Documentation/Splunk/6.1.1/Knowledge/ExtractfieldsinteractivelywithIFX
I was afraid of this. My regex is pretty weak. If anyone in the community is a regex pro, with a few minutes i would greatly appreciated any directions on this regex to produce the results I'm looking for.
As always thanks in advance splunk community!
You will have to create field extract/use rex command to retrieve field 'user', as its not in Splunk's standard format (key-value pair).