I have a splunk log as follows:
...||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.batch.writer.LeadItemWriter - LEAD_JOB: Batch insertion is successful for count 1000 and exiting method write()::LeadItemWriter
----||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.batch.writer.LeadItemWriter - LEAD_JOB: Batch insertion is successful for count 197 and exiting method write()::LeadItemWriter
||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.batch.writer.OrderItemWriter - ORDER_JOB: Batch insertion is successful for count 3860 and exiting method write()::OrderItemWriter
||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.batch.writer.OrderItemWriter - ORDER_JOB: Batch insertion is successful for count 30 and exiting method write()::OrderItemWriter
I need to get the total count by job type, So My result will be like
ORDER_JOB LEAD_JOB
------------------------------------------
3890 1197
Can anyone please help me to write the Splunk query for getting the above result?
Try this:
index=whatever yourquery
| rex "Writer\s+-\s+(?<jobtype>[^:]+):\s+Batch.*?successful.*count\s+(?<jobcount>\d+)\s+and"
| stats sum(jobcount) by jobtype
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂
Try this:
index=whatever yourquery
| rex "Writer\s+-\s+(?<jobtype>[^:]+):\s+Batch.*?successful.*count\s+(?<jobcount>\d+)\s+and"
| stats sum(jobcount) by jobtype
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂
@xpac If I have ":" symbol after the count means how can I change it . I mean count : 360
| rex "Writer\s+-\s+(?<jobtype>[^:]+):\s+Batch.*?successful.*count\s+:\s+(?<jobcount>\d+)\s+and"
The \s+
always mean "one or more whitespaces, e.g. space, tab, newline etc.
@xpac its not working. For the log like:
||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.service.OpportunityService - OPPORTUNITY_JOB: List size: 41
how can I get the value 41
I fixed the regex in the comment above, sorry, I made a copy&paste error.
The line you showed this time is different from it's structure, however, this regex should work for all lines:
| rex "-\s+(?<jobtype>[^:]+):.*?(?<jobcount>\d+).*?$"
Be aware that this regex is rather generic, because the log formats are different, and it might capture the wrong data in some cases.
@xpac Sorry, that is not for the previous requirement ,its for new purpose .So I don't want it as generic. That is different log, the above query returns uncorrect result .
Then try this:
| rex "OPPORTUNITY_JOB:\s+List\s+size:\s+(?<listsize>\d+)[\D|$]"