"How are these transactions linked together... by a field called "ID"? If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it. Paste some samples and…"
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Nikita posted a discussionCount failures and success via transaction
Hi,I'm a new in Splunk so sorry for the stupid questions.I want to calculate failures in logs.For example we have request log and response log."request" OR ("fail" OR "response") |transaction startsWith=("request") endsWith=("fail" OR "response") maxpause=5s keepevicted=false maxspan=25s id |eval Failure=if(searchmatch("fail"),1,0)| eval Success=if(searchmatch("response"),1,0) | stats count(Failure) as FailureCount, count(Success) as SuccessCount | table FailureCount SuccessCountThat query…See More
Regex For Identifying IP Addresses (To Extract Field)
I've tried and failed to extract the IP Address field such that it only includes sets of 4 numbers that are all separated by periods. The built-in Splunk Regex pattern generator always seems to tag additional text or punctuation that makes it took specific.
For instance, the pattern generator tells me to use this:
(?i) accepted: (?P<FIELDNAME>.*)
That works to find 172.25.97.121 in the line below:
2010-03-16 09:46:57.288/[NioTCPListener, swiftlet=sys$jms, port=4001]/INFORMATION/connection accepted: 172.25.97.121
But the same Regex doesn't find the same IP address in this line:
2010-03-16 09:45:15.986/sys$jms/INFORMATION/JMSConnection v630/172.25.97.121:2355/connection closed
Any ideas?
Thanks,
Swack
Views: 625
© 2012 Created by Michael Wilde.
