splunk rex 命令搜索異常並計算錯誤代碼

Question

我有看起來像這樣的原始數據：

[6/24/22 6:45:20:277 IST] 000005d4 Output     O abcd-ddd-dd.ppp1.ttttttt.net sys      2022-06-24T06:45:20,277 WARN [Server.BatchProcess] Limoc Input : Exception occurred: 100 COMPRESS 'success' EEEE08EE.ERROR-TEXT(1) null
[6/24/22 6:45:20:277 IST] 000005d4 Output     O abcd-ddd-dd.ppp1.ttttttt.net sys      2022-06-24T06:45:20,277 WARN [Server.BatchProcess] Limoc Input : Exception occurred: 101 COMPRESS 'success' EEEE08EE.ERROR-TEXT(2) null

我需要 rex 命令的幫助，該命令可以過濾所有帶有“ Limoc Input : Exception occurred: 100 ” “ Limoc Input : Exception occurred: 101 ” 和類似的消息，並對它們進行計數並打印下面的消息“ COMPRESS 'success' EEEE08EE.ERROR-TEXT(1) null ”。 例如：

100 COMPRESS 'success' EEEE08EE.ERROR-TEXT(1) null 2
101 COMPRESS 'success' EEEE08EE.ERROR-TEXT(2) null 3

Answer 1

看看這個到處跑的搜索是否能讓你朝着正確的方向前進。

| makeresults
| eval data="[6/24/22 6:45:20:277 IST] 000005d4 Output O abcd-ddd-dd.ppp1.ttttttt.net sys 2022-06-24T06:45:20,277 WARN [Server.BatchProcess] Limoc Input : Exception occurred: 100 COMPRESS 'success' EEEE08EE.ERROR-TEXT(1) null
[6/24/22 6:45:20:277 IST] 000005d4 Output O abcd-ddd-dd.ppp1.ttttttt.net sys 2022-06-24T06:45:20,277 WARN [Server.BatchProcess] Limoc Input : Exception occurred: 101 COMPRESS 'success' EEEE08EE.ERROR-TEXT(2) null"
| eval data=split(data,"
")
| mvexpand data
| eval _raw=data
| fields - data
```Everything above just sets up test data.  Omit IRL```
```Extract the exception number and text which follows```
| rex "Limoc Input : Exception occurred: (?<Exception>10[01]) (?<DisplayText>.*)"
```Count the occurrences.  Copy the text.```
| stats values(DisplayText) as DisplayText, count by Exception
```Display the results```
| table DisplayText count

Answer 2

從尋找您的鍵控文本的基本搜索開始：

index=ndx sourcetype=srctp "Limoc Input : Exception occurred"

根據您的示例數據，此rex會將您要查找的內容提取到新字段msg中：

| rex field=_raw ":\s+(?<msg>\d+\s+\w+.+)"

然后，您可以將其stats到表格中：

| stats count by msg