- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do you retrieve names in comments using regex?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
index="os" sourcetype="test" CaseNumber=*| dedup _time,CaseNumber | rex field=Notes "(?\d+-\d+-\d+\s*\d+:\d+:\d+)\s*\-\s*(?\w*\W*\w*\s*\w*\s*\(\d+\))\s*"
The above query displays the lastupdated user. But I want to display all names from the comments
EX:
2019-03-07 11:48:12 - one (1234513241) (Case Notes (Comments Visible )) data in not loading
2019-03-07 12:48:12 - two (2345132421) (Case Notes (Comments Visible)) error occured
2019-03-06 14:48:12 - three (3451324143) (Case Notes (Comments Visible)) testing
2019-03-06 15:48:12 - one (5513241321) (Case Notes (Comments Visible)) case in progress
2019-03-06 17:48:12 - four (2416575443) (Case Notes (Comments Visible)) filter option
2019-03-06 18:48:12 - five (4154678765) (Case Notes (Comments Visible)) data loading
This is for one case. After date is names of the persons. So I want to display all names who commented for that case.
Ex:Casenumber is 1111
1111 one (1234513241) two (2345132421) three (3451324143) four (2416575443) five (4154678765) like this
How do I write the regular expression to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ramesh12345
Try this
| makeresults
| eval comments="2019-03-06 15:48:12 - one (5513241321) (Case Notes (Comments Visible)) case in progress"
| rex field=comments "\s-\s(?P<name>[\w]*\s\(\w*\))"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ramesh12345 ,
Based on your sample data , try
"your search"
| rex "-\s(?<Names>\w+\s\(\d+\))"
| stats values(Names) as Names by Casenumber
| nomv Names
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
With you query i am getting names who worked on that particular case.But My requirement is to display single person completed cases.
Ex: Case:1 name: raju
Case:2 name:raju,ramu,rakesh
Case:3 name:ramu,rakesh,rahul,raju
so the requirement is single peron completed cases.
Here raju only worked on one case.so raju count is 1
In multiple cases he involved: raju count is 2
index="os" sourcetype="Service" CaseNumber=* status=* assignment=* |dedup _time,CaseNumber,assignment|streamstats current=f last(assignment) as lg, last(active) as Active by CaseNumber|lookup L1Team.csv SSO as assigned_to OUTPUT TeamName| eval is_escalated= if(assignment!=lg AND assignment_group="Sustaining",1,NULL) |eval is_resolved=if(assignment="Sustaining" AND status="Complete" AND (isnull(Active) OR Active="true"),1,NULL)|stats count(is_escalated) AS "Escalated Cases" count(is_resolved) AS "Resolved Cases" by assigned_to,TeamName| fields - TeamName
with this query iam getting only who closed this case.that number is assigned to that case.
i want to display like above what i explained.Please help how to do this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ramesh12345
Try this
| makeresults
| eval comments="2019-03-06 15:48:12 - one (5513241321) (Case Notes (Comments Visible)) case in progress"
| rex field=comments "\s-\s(?P<name>[\w]*\s\(\w*\))"
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
