"How are these transactions linked together... by a field called "ID"? If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it. Paste some samples and…"
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Nikita posted a discussionCount failures and success via transaction
Hi,I'm a new in Splunk so sorry for the stupid questions.I want to calculate failures in logs.For example we have request log and response log."request" OR ("fail" OR "response") |transaction startsWith=("request") endsWith=("fail" OR "response") maxpause=5s keepevicted=false maxspan=25s id |eval Failure=if(searchmatch("fail"),1,0)| eval Success=if(searchmatch("response"),1,0) | stats count(Failure) as FailureCount, count(Success) as SuccessCount | table FailureCount SuccessCountThat query…See More
Need RegEx Help Please!
All,
I'm a newbie to Splunk and Regular Expressions. I could really use some help creating some Splunk friendly regular expressions that I can use as fields. Here is a sample syslog entry:
Apr 3 15:04:55 adsl-068-153-219-120.sip.bct.bellsouth.net 6807: Router-1969: 006804: Apr 3 15:04:54: %SEC-6-IPACCESSLOGP: list
FromInternet permitted udp 69.173.64.15(15) -> 68.153.219.120(123), 1
packet
Here are the Regular Expressions I'd like to create as Fields to use in all Splunk Apps.
1.) Source IP Address - Matching value above is "69.173.64.15"
2.) Source Port - Matching value above is "15". I'd like to exclude the parenthesis in the match.
3.) Destination IP Address - Matching value above is "68.153.219.120"
4.) Destination Port - Matching value above is "123". I'd like to exclude the parenthesis in the match.
5.) Access List - Matching value above is"FromInternet" which always follows the word "list" and can be a variable amount of letters/numbers.
Most important is that I want each of these to be Fields that I can leverage in all Splunk apps.
I really appreciate the help that the Splunk Ninja crew will provide to me. So thank you very much in advance!
James E
I'm a newbie to Splunk and Regular Expressions. I could really use some help creating some Splunk friendly regular expressions that I can use as fields. Here is a sample syslog entry:
Apr 3 15:04:55 adsl-068-153-219-120.sip.bct.bellsouth.net 6807: Router-1969: 006804: Apr 3 15:04:54: %SEC-6-IPACCESSLOGP: list
FromInternet permitted udp 69.173.64.15(15) -> 68.153.219.120(123), 1
packet
Here are the Regular Expressions I'd like to create as Fields to use in all Splunk Apps.
1.) Source IP Address - Matching value above is "69.173.64.15"
2.) Source Port - Matching value above is "15". I'd like to exclude the parenthesis in the match.
3.) Destination IP Address - Matching value above is "68.153.219.120"
4.) Destination Port - Matching value above is "123". I'd like to exclude the parenthesis in the match.
5.) Access List - Matching value above is"FromInternet" which always follows the word "list" and can be a variable amount of letters/numbers.
Most important is that I want each of these to be Fields that I can leverage in all Splunk apps.
I really appreciate the help that the Splunk Ninja crew will provide to me. So thank you very much in advance!
James E
Views: 143
Replies to This Discussion
-
Permalink Reply by Ferry Leirissa on -
Hai James,
This is syslog right?
I am happy to help you, can you sent me a part of the logile? So I have some mass data to doublecheck before twaeking afterwards.
Please sent it to leirissa@hotmail.com
Thanks
Ferry
-
Permalink Reply by Michael Wilde on -
Per our email discussion
go to C:\Program Files\Splunk\etc\system\local
create and edit a file called "props.conf" (as it probably isnt there) -- changes to this file will be system wide (meaning these field extractions will be in every app)
in PROPS.CONF stick this in there
[cisco_syslog]
EXTRACT-num_packets = (?\d+)\spacket|packets
EXTRACT-logp_fields = ACCESSLOGP\: list (?\S+) (?\S+) (?\S+) (?[^\(]*)\((?\d+)[^\>]*\> (?[^\(]*)\((?\d+)
-
Permalink Reply by James Esposito on -
MIchael,
Thanks. Just so you know, I wrote the above discussion post before I got your email.
Thanks for the help!
James
-
Permalink Reply by Ferry Leirissa on
-
Hai Micheal,
Whats the total input here, can you sent me it as well?
Cause you dont have the fields decribed here now right? What is your advice, to do FORMAT or inline?
Cheers
Ferry
-
Permalink Reply by Michael Wilde on
-
Looks like some of my message got garbled by this forum tool (because it looks like XML).. lets try again: (using an HTML escape characters for the GT/LT brackets)
[cisco_syslog]
EXTRACT-num_packets = (?<num_packets>\d+)\spacket|packets
EXTRACT-logp_fields = ACCESSLOGP\: list (?<access_list>\S+) (?<disposition>\S+) (?<protocol>\S+) (?<src_ip>[^\(]*)\((?<src_port>\d+)[^\>]*\> (?<dest_ip>[^\(]*)\((?<dest_port>\d+)
Those are inline extractions. The times when i couple them with transforms.conf and "FORMAT" are when i need extra settings for the field extraction that inline can't handle -- but its rare.
© 2012 Created by Michael Wilde.
