topic Re: Extracting values for table in Splunk Search

Extracting values for table

reinharn — Wed, 03 Jul 2019 15:29:38 GMT

I have events in my logs that look like

{
     linesPerSec:    1694.67    
     message:    Status:    
     rowCount:   35600000   
     severity:   info
}

when i make a search like:

index="apps"  app="my-api" message="*Status:*" | table  _time,  linesPerSec, rowCount

This is what my table ends up looking like

How do I get the number value away from the key for both linesPerSec and rowCount? I want to see all instances. I tried using values(linesPerSec) but that seemed to aggregate only unique.

Thanks,

Nate

Re: Extracting values for table

aohls — Wed, 03 Jul 2019 17:11:17 GMT

You could use a regex to extract just the number.|rex field=_raw "linesPerSec (?<linesPerSec>\d+$)"|rex field=_raw "rowCount (?<rowCount>\d+$)"

EDIT: Cant get it to show but between the ? and \d would be the value name you want to use in the search surrounded by <>.

This would get you just the number values. If you are using the log a lot also you should look at setting up a field extraction; it would make it easier in the future.

Re: Extracting values for table

rbechtold — Wed, 03 Jul 2019 17:30:04 GMT

Hey Nate,

This simple extraction should do the trick.

...BASE SEARCH...
 | rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)"

Re: Extracting values for table

reinharn — Wed, 03 Jul 2019 17:34:41 GMT

Thanks for the response!

If I wanted to get those values into the table how would I go about that?

index="apps"  app="my-api" message="*\Status:*" | table linesPerSec, rowCount | rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)"

I still get the table values as the key/value.

Re: Extracting values for table

rbechtold — Wed, 03 Jul 2019 17:50:31 GMT

No problem!

Since the fields don't exist until after the extraction is complete, you'll need to move the table to be after your extraction in order to see them.

This should correct the issue:

index="apps"  app="my-api" message="*\Status:*" | rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)" | table _time linesPerSec, rowCount

Let me know if there are any problems!

Re: Extracting values for table

reinharn — Wed, 03 Jul 2019 18:15:54 GMT

Just tried that. Still doesn't seem to like to separate the values.

Re: Extracting values for table

reinharn — Wed, 03 Jul 2019 18:17:12 GMT

https://imgur.com/a/2v3OcMa

Re: Extracting values for table

rbechtold — Wed, 03 Jul 2019 18:39:02 GMT

Let's try a different approach -- extracting directly from the fields themselves.

Could you give this a try for me?

index="apps"  app="my-api" message="*\Status:*" 
| rex field=linesPerSec "(?<LPS>[\d\.]+)"
| rex field=rowCount "(?<RC>\d+)"
| table _time LPS RC

Since I'm not exactly sure if the problem is coming from the fields or the extraction, I'm just going to bypass both and create two new fields: LPS (linesPerSec) and RC (rowCount).

These should contain the correct values.

Re: Extracting values for table

reinharn — Wed, 03 Jul 2019 18:41:53 GMT

That worked! Thanks so much!