0

I am new to Splunk. Hence, i would require some support to build search query.

Below is how my log prints:

[181] xxxx-xx-xx xx:xx:xx INFO (lots of text)RITM1234::FAILED BECAUSE ROOT CAUSE::Ticket was an Add, but there was no valid account named XYZ for user

[181] xxxx-xx-xx xx:xx:xx INFO (lots of text)RITM1234::::FAILED BECAUSE::Account XYZ is not correct for user 1234. Will not close ticket.

I will like to have the output in below table format:

RITM |App|user|Error

RITM1234|XYZ|1234|Ticket was an Add, but there was no valid account named XYZ for user

Jagan
  • 1
  • 1
    Start by completing the free Splunk Fundamentals I course at https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html. It will teach you the basics about searching in Splunk. That aside, your request is unclear. You have 2 events, but only one result. How will Splunk know which event to choose? – RichG May 08 '20 at 00:24

1 Answers1

0

The following command will extract the important fields from the event. It just uses regular expressions to break up the event.

rex field=_raw "RITM (?<RITM>\d+):+(?<msg>[^:]+)+:+(?<root_cause>[^:]+)"

Once that is done, you can extract the username in the following way, again using regular expressions

rex field=root_cause "(named|user) (?<username>\S+)"

Putting everything together with a table, you should get something like the following

rex field=_raw "RITM (?<RITM>\d+):+(?<msg>[^:]+)+:+(?<root_cause>[^:]+)" | rex field=root_cause "(named|user) (?<username>\S+)" | table RITM, username, root_cause
Simon Duff
  • 2,631
  • 2
  • 7
  • 15