How to build Splunk search query?

0
votes

I am new to Splunk. Hence, i would require some support to build search query.

Below is how my log prints:

[181] xxxx-xx-xx xx:xx:xx INFO (lots of text)RITM1234::FAILED BECAUSE ROOT CAUSE::Ticket was an Add, but there was no valid account named XYZ for user

[181] xxxx-xx-xx xx:xx:xx INFO (lots of text)RITM1234::::FAILED BECAUSE::Account XYZ is not correct for user 1234. Will not close ticket.

I will like to have the output in below table format:

RITM |App|user|Error

RITM1234|XYZ|1234|Ticket was an Add, but there was no valid account named XYZ for user

1
splunksplunk-query
Start by completing the free Splunk Fundamentals I course at splunk.com/en_us/training/free-courses/…. It will teach you the basics about searching in Splunk. That aside, your request is unclear. You have 2 events, but only one result. How will Splunk know which event to choose?RichG

1 Answers

0
votes

The following command will extract the important fields from the event. It just uses regular expressions to break up the event.

rex field=_raw "RITM (?<RITM>\d+):+(?<msg>[^:]+)+:+(?<root_cause>[^:]+)"

Once that is done, you can extract the username in the following way, again using regular expressions

rex field=root_cause "(named|user) (?<username>\S+)"

Putting everything together with a table, you should get something like the following

rex field=_raw "RITM (?<RITM>\d+):+(?<msg>[^:]+)+:+(?<root_cause>[^:]+)" | rex field=root_cause "(named|user) (?<username>\S+)" | table RITM, username, root_cause