Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex/RegEx Question

tkwaller
Builder
‎02-07-2014 11:33 AM

Hello

I am trying to pull a text string out of some raw results using a simple regex. Heres my question: I would like to be able to get a stats count on the number of occurrances of this string. i would assume that you would have to put it into another field as it is simple text at the moment and not in a field. How would I do this? I am new to the rex/regex portion of Splunk and could use a little guidance.

Here is the raw data:

log_source=TT.WebService.Internal.OrderIntegration.OrderIntegration - Unable to reserve shopping cart: Attempt to add tickets to the shopping cart resulted in a failure due to tickets no longer being on the exchange.
TT.Logic.TicketsNotFoundException: Exception of type 'TT.Logic.TicketsNotFoundException' was thrown.

I used \bUnable\b.* to get just the sentence "Unable to reserve shopping cart: Attempt to add tickets to the shopping cart resulted in a failure due to tickets no longer being on the exchange."

I tried using "rex field=_raw...." and also creating a field named error like "rex field=error mode=sed" but am still not doing something correctly.

Any advice would be appreciated, thank you!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎02-07-2014 12:12 PM

Try this:

search |rex ".*(?P<UnableCart>unable.*)" |table UnableCart

View solution in original post

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2014 12:50 PM

In order to count events containing a certain string, try something like this:

index=foo sourcetype=bar "a certain string" | stats count
0 Karma
Reply
Solved! Jump to solution

tkwaller
Builder
‎02-07-2014 12:48 PM

I am trying to count the number of events that contain this string

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2014 12:12 PM

Are you trying to count the number of events that contain a certain string, or are you trying to count the number of times a certain string appears in one event?

0 Karma
Reply
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎02-07-2014 12:12 PM

Try this:

search |rex ".*(?P<UnableCart>unable.*)" |table UnableCart

Reply
Solved! Jump to solution

tkwaller
Builder
‎02-07-2014 12:53 PM

Getting closer. I think I can move forward from here through trial and error. Thanks so much for the guidance

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...