Videos

  • Add Videos
  • View All

Top Content 

1 Count failures and success via transaction

Count failures and success via transaction

Latest Activity

Michael Wilde replied to Nikita's discussion Count failures and success via transaction
"How are these transactions linked together... by a field called "ID"?  If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it.   Paste some samples and…"
17 hours ago
Linus Myrefelt updated their profile
Tuesday
Marie updated their profile
Monday
Marie is now a member of splunkninja
Monday
Welcome Them!
Profile IconJitter and matthew arguin joined splunkninja
May 18
Profile IconMatthew Carter and Nikita joined splunkninja
May 17
Nikita posted a discussion

Count failures and success via transaction

Hi,I'm a new in Splunk so sorry for the stupid questions.I want to calculate failures in logs.For example we have request log and response log."request" OR ("fail" OR "response") |transaction startsWith=("request") endsWith=("fail" OR "response") maxpause=5s keepevicted=false maxspan=25s id |eval Failure=if(searchmatch("fail"),1,0)| eval Success=if(searchmatch("response"),1,0) | stats count(Failure) as FailureCount, count(Success) as SuccessCount | table FailureCount SuccessCountThat query…See More
May 17
1 Comment
Andrea Judy is now a member of splunkninja
May 16
Welcome Them!

Regex help

I am trying to pull out the hostname of a virus scan message and create a new field, but I am not having any luck.  This is the part of the log I am trying to run a regex against:

 

virus detected in \HOST001\SERVER-AV-1\

I can't seem to get what is between the first \ and second \ 

Any help would be appreciated

Views: 92

Reply to This

Replies to This Discussion

Permalink Reply by Michael Wilde on October 3, 2011 at 9:22pm

Perry... think it out... talk it out.. like this.. 

 

a backslash, ( followed by any character that is not a backslash ), followed by a backslash.  

I put the parens around the phrase above, because we'll use that as a capturing group.

--for the backslashes we'll need to "escape them" -- you do that by adding an extra backslash, that tells the engine to treat this next character literally... then the parens tell us "we're going to capture the stuff in the parens so we can refer to it.  The first capturing group is known as $1.  Next.. see those brackets with a "carat" in them.  Thats a list of characters that our match cannot possibly be--but repeated between 1 and unlimited times with that "+" at the end.  Close the parens, sealing off our capturing group, and then follow it with an escaped backslash and you should be goo.

 

REGEX = \\([^\\]+)\\

RSS

© 2012   Created by Michael Wilde.

Badges  |  Report an Issue  |  Terms of Service