CODEWITHSUNDEEP
regexsplunk-query
Jayesh Rajvir
Jayesh Rajvir

Reputation: 1

Splunk search query

index=au_axs_app_log
source =log

I wanted to write a SPLUNK where data in Response Code is greater 05. currently it displayed where data in this field is set as 00. Can you please share how can i write query where it would fetch desired results

EXT-ID[25]      FLD[Point of Service Condi..]  FRMT[FIXED]       LL[0]  LEN[2]    TYPE[String]             CHS[Binary Coded De..]  DATA[51]
EXT-ID[32]      FLD[Acquiring Institution ..]  FRMT[LVAR-Bin]    LL[1]  LEN[6]    TYPE[String]             CHS[Binary Coded De..]  DATA[320000]
EXT-ID[37]      FLD[Retrieval Reference Nu..]  FRMT[FIXED-Group] LL[0]  LEN[12]   TYPE[String]             CHS[EBCDIC]             DATA[203906284278]
+EXT-ID[37.1]   FLD[Julian Date and time]      FRMT[FIXED]       LL[0]  LEN[6]    TYPE[String]             CHS[ASCII]              DATA[203906]
+EXT-ID[37.2]   FLD[RRN Stan]                  FRMT[FIXED]       LL[0]  LEN[6]    TYPE[String]             CHS[ASCII]              DATA[284278]
EXT-ID[38]      FLD[Authorization Identifi..]  FRMT[FIXED]       LL[0]  LEN[6]    TYPE[String]             CHS[EBCDIC]             DATA[552572]
****EXT-ID[39]      FLD[Response Code]             FRMT[FIXED]       LL[0]  LEN[2]    TYPE[String]             CHS[EBCDIC]             DATA[00]****
EXT-ID[42]      FLD[Card Acceptor Identifi..]  FRMT[FIXED]       LL[0]  LEN[15]   TYPE[String]             CHS[EBCDIC]             DATA[320000000000001]
EXT-ID[49]      FLD[Currency Code, Transac..]  FRMT[FIXED]       LL[0]  LEN[3]    TYPE[String]             CHS[Binary Coded De..]  DATA[036]
EXT-ID[62]      FLD[Custom Payment Service..]  FRMT[LVAR-Bin-Group] LL[1]  LEN[18]   TYPE[String]             CHS[ASCII]              DATA[i)xg?P?@]
++EXT-ID[62.2]   FLD[62-2 Transaction Ident..]  FRMT[FIXED]       LL[0]  LEN[15]   TYPE[String]             CHS[Binary Coded De..]  DATA[869297810679250]
++EXT-ID[62.23]   FLD[62-23 Product ID]          FRMT[FIXED]       LL[0]  LEN[2]    TYPE[String]             CHS[Extended EBCDIC..]  DATA[A ]

Upvotes: 0

Views: 484

Answers (1)

warren
warren

Reputation: 33453

If you'd like a full regex for extracting all of the bracketed fields, this is the most efficient one-shot I could make:

| rex field=_raw "(?<extid>[\d\.]+).+D\[(?<fieldtype>[^\]]+).+T\[(?<format>[^\]]+).+L\[(?<ll>[^\]]+).+N\[(?<len>[^\]]+).+E\[(?<type>[^\]]+).+S\[(?<charset>[^\[]+).+A\[(?<data>[^\]]+)"

Most often I do sequential rex calls, just in case some fields aren't present in all events, but your sample data shows each of these items present

Once you've extracted every field in the data, you can stats or search it any way you may like (I see some of your "FLD" (which I've named "fieldtype") values can have spaces or punctuation, so I'm using the wildcard search feature to match anything that looks like "Response Code"):

index=ndx sourcetype=srctp 
| rex field=_raw "(?<extid>[\d\.]+).+D\[(?<fieldtype>[^\]]+).+T\[(?<format>[^\]]+).+L\[(?<ll>[^\]]+).+N\[(?<len>[^\]]+).+E\[(?<type>[^\]]+).+S\[(?<charset>[^\[]+).+A\[(?<data>[^\]]+)"
| search fieldtype="Response*" 
| stats count by extid data fieldtype
| fields - count
| where tonumber(data)>5

tonumber is quite flexible; I'm using it here in its simplest form

Upvotes: 0

Related Questions