Hello all. I'm totally new to splunk. And I'm totally desperate now. I have .log file in which i have to search for specific sentence. For example.....
Today is a pretty day. My name is: Daniel, and I am: 50 years old and I live on: CC.1234.55541.
These three values as name, age and street I live on will be always different in the .log file. I need to find this whole sentence. Then I need to save the age (2nd value) and the street (3rd value). Then I need to e-mail dashboard with different sentence where I place the 2nd and 3rd value from the sentence from the .log file. I've been looking for 2 days and I can't find answer. Is there something for example %s or something what subs string/integer. The third parameter wil always start with 2 letters. Maybe can i create somehow values where i save the number and then append it to the sentence which will be sent to e-mail in dashboard? Hope you know what I mean. Comparing my skill in splunk is like a small dog which can't swim and is thrown to the swimming pool to learn how to swim without any previous lessons... Thanks for help
would like to youse if else statment.
something like this:
if ( index = help source=/Info.log sourcetype=info "My name is:" "and I am:" "and I live on:"
| rex "My name is: (?[^,]+),and I am: (?\d+) years old and I live on:(?\S+)" )
{
| table name age street
| eval EmailBody="This was the name:".name." and this was the age:".age." and finally the street".street
}
else {
| eval EmailBody="Nothing found"
}
Try the updated answer.
Try like this
index = help source=/Info.log sourcetype=info "My name is:" "and I am:" "and I live on:"
| rex "My name is: (?<name>[^,]+),and I am: (?<age>\d+) years old and I live on:(?<street>\S+)"
| table name age street
| eval EmailBody="This was the name:".name." and this was the age:".age." and finally the street".street
For your other requirement of if else
index = help source=/Info.log sourcetype=info "My name is:" "and I am:" "and I live on:"
| rex "My name is: (?<name>[^,]+),and I am: (?<age>\d+) years old and I live on:(?<street>\S+)"
| stats count by name age street | appendpipe [| stats count | where count=0 | eval EmailBody="Not Found" ]| fields - count | eval EmailBody=coalesce(EmailBody,"This was the name:".name." and this was the age:".age." and finally the street".street )
Works! 🙂 thanks for your help.
Btw Bloomington is pretty place. Played there AirSOft game couple years ago, when I was in the USA. 🙂
Well i try again with another example, bc this didn't work to me. 😞 in my search for example i have:
index = help source=/Info.log sourcetype=info "Today is a pretty day. My name is: Daniel, and I am: 50 years old and I live on: CC.1234.55541.
this finds me specific example, but in log i can have different name/age/street, so i need to substitute it with something else which reads the value =>save it and then i can save the report and create dashboard which will be scheduled for specific time at everyday and send report if it finds this sentence in the log. If doesnt find then it won't send anything.
looking for something like: "Today is a pretty day. My name is: scanf(a,"%s"), and I am: scanf(b,"%s") years old and I live on: scanf(c,"%s")."
now i would have 3 values(a,b,c) and would create a sentence: We found him, he is 'b' years old and lives on 'c' address.
probably it's very simple, but this is my 2nd week with splunk...
Believe it or not, as of v6.4.1 Splunk supports printf()
! Yes, you should read the release notes. See here:
http://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/ConversionFunctions
Are you looking for something like this?
| gentimes start=-1 | eval _raw="Today is a pretty day. My name is: Daniel, and I am: 50 years old and I live on: CC.1234.55541." | table _raw
| rename COMMENT as "Above is to generate dummy data. replace it with your search"
| rex "My name is: (?<name>[^,]+),and I am: (?<age>\d+) years old and I live on:(?<street>\S+)"
| table name age street
| eval EmailBody="This was the name:".name." and this was the age:".age." and finally the street".street
@somesoni2, minor corrections to your regular expression:
| rex "My name is: (?<name>[^,]+), and I am: (?<age>\d+) years old and I live on: (?<street>\S+)"
@davidlajda, what you need to grasp even before diving into Splunk is how to identify patterns in your logs and extract the same using Regular Expressions (which are pretty universal). You can test and learn Regular Expressions from site like https://regex101.com/
Paste you log events on which you want to perform regular expression based pattern matching in the TEST STRING
box and then try out your Regular Expression by pasting/typing the same in REGULAR EXPRESSION
box.
My name is: (?<name>[^,]+), and I am: (?<age>\d+) years old and I live on: (?<street>\S+)
It will not just match your expression and give you patterns, but will also give you EXPLANATION
on how regular expression recognized the pattern in the MATCH INFORMATION
section. It also has some QUICK REFERENCE
for you to pick up regular expression basics easily.