[splunk]: Obtain a count of hits in a query of regexes - devops

I am searching for a list of regexes in a splunk alert like this:
... | regex "regex1|regex2|...|regexn"
Can I modify this query to get a table of the regexes found along with their count. The table shouldn't show rows with 0 counts.
regex2 17
regexn 3

The regex command merely filters events. All we know is each result passed the regular expression. There is no record or indication of why or how any event passed.
To do that, you'd have to extract a unique field or value from each regex and then test the resulting events to see which field or value was present. The regex command, however, does not extract anything. You'd need the rex command or the match function to do that.

Looks like | regex line is not needed. This is working for me. Notice the extra brackets.
| rex max_match=0 "(?P<countfields>((regex1)|(regex2)|..|(regexn)))"
| stats count by countfields

Related

Splunk join with an in-memory record

Sorry for the lame question, I am new to Splunk.
What I am trying to do is to join my search result with a declared in the search body fake record, something like
index=...
| joint type=outer <column>
[ | <here declare a record to join with>
......
The idea is to make sure there is at least one record in the resulting search. There are the following cases expected:
the original search returns records
the original search does not return anything because the result is filtered
the original search does not return anything because the source is empty
I need to distinguish cases 2 and 3, which the join is for. The fake record will eliminate the case 3 so I will only need to filter the result.
There's a better way to handle the case of no results returned. Use the appendpipe command to test for that condition and add fields needed in later commands.
| appendpipe [ stats count | eval column="The source is empty"
| where count=0 | fields - count ]

How to count and compare amount of regex matches

I want to use Sumo Logic to count how often different APIs are called. I want to have a table with API call name and value. My current query is like this:
_sourceCategory="my_category"
| parse regex "GET.+443 (?<getUserByUserId>/user/v1/)\d+" nodrop
| parse regex "GET.+443 (?<getUserByUserNumber>/user/v1/userNumber)\d+"
| count by getUserByUserId, getUserByUserNumber
This gets correct values but they go to different columns. When I have more variables, table becomes very wide and hard to read.
I figured it out, I need to use same group name for all rexexes. Like this:
_sourceCategory="my_category"
| parse regex "GET.+443 (?<endpoint>/user/v1/)\d+" nodrop
| parse regex "GET.+443 (?<endpoint>/user/v1/userNumber)\d+"
| count by endpoint

How to exclude the time field from Sumo Logic results?

How do I exclude the Time (_messagetime) metadata field from my result set?
I've tried:
field -_messagetime
But it gives me the error
Field _messagetime not found, please check the spelling and try again.
Using:
fields -time
does not remove the field either.
Currently I'm getting around this by using an aggregate (count) that has no effect on the data.
[EDIT]
Here's an example query:
Removing the Message (_raw) works. But removing the time (_messagetime) doesn't.
These results are used as email alerts, so removing the Time field from the Display isn't really an option.
The easiest way is to just turn off the field in the field browser window on the left-hand side of the results:
The other option is to aggregate and then remove the aggregate field - even if you just aggregate on _raw (which is the raw message):
_sourceCategory=blah
| count by _raw
| fields -_count
If you're still having trouble, can you share the rest of your query?
Edit based on your new query:
*
| parse "Description=\"*\"" as Description
| parse "Date=\"*\"" as Date
| count by Description, Date, Action
| fields -_count
The Time field is there as a result of the timeslice operation as far as I'm aware. The following should do the trick
| fields - _timeslice

How to compose a query that matches multiple tag values?

I was wondering what the best way is to compose a WHERE clause that matches multiple values for a tag. I was in the impression that i could solve this using a regex pattern but i seem to hit a wall. There is too many data returned in my query…
In my case i have several measurements that have an ‘location_id’ tag.
When i create a query using a where clause like below i get data back that is not correct. Probably to my misunderstanding on how to use the regex pattern or maybe it is impossible…
My data is as follows
time cpu location_id
---- ---- -----------
2017-11-27T07:00:00Z 159 2
2017-11-27T15:00:00Z 154 27
2017-11-27T23:00:00Z 117 7
2017-11-28T07:00:00Z 160 7
2017-11-28T15:00:00Z 167 27
2017-11-28T23:00:00Z 170 27
When i execute a query i only want the locations back with the value of ‘7’.
But when i use a query like below the data from location_id 27 is also returned…
SELECT * FROM “measurement” WHERE location_id =~ /7/;
My goal is that i would like to indicate that the location_id should be in a list of values. Is this even possible with regex? Or should i use AND clauses?
SELECT * FROM “measurement” WHERE location_id =~ /7|2|104|45/;
This is possible with regex (albeit only with tags/fields that are strings). First, recall that the regex /7/ matches the character 7 anywhere in the input text. Therefore both "7" and "27" match.
To constrain the match to cover the entire input text, wrap it in start-of-text ^ and end-of-text $ markers. For example, the regex /^7$/ will match only the string "7" and nothing else.
To match against multiple entire strings, use the regex or operator |. Remember however that it has a lower operator precedence than composition, meaning we have to wrap the subexpression in parentheses. For example, /^(7|2|104|45)$/ will match against either "7", "2", "104", or "45".
See the golang regex syntax documentation for more details.

Configure Sphinx to index dash and search it with and without it

I have a record
Item id: 1, name: "wd-40"
How do I configure Sphinx to match this record on the following queries:
Item.search("wd40")
Item.search("wd-40")
To answer your title question, charset_table is what you want.
http://sphinxsearch.com/docs/current.html#charsets
But that doesnt actully solve the query of matching those two queries, indexing - wouldn't work, just be the inverse of indexing it.
Instead, you probably want ignore_chars
http://sphinxsearch.com/docs/current.html#conf-ignore-chars
First indexing:
By default, only ascii characters are indexed by Sphinx; the others are considered word separators. To fix that, you need to use the charset_table parameter to map the dash to the dash character.
Second searching:
AFAIK, it is not possible to make Sphinx to consider both searches like you are asking for. However, you can just use something like:
# in Python, but I believe is understandable
query = word
if '-' in word:
query += " | " + word.replace('-','')
Item.search(query) # if word = 'wd-40', query = 'wd-40 | wd40'

Resources