topic Re: field extraction help in Splunk Search

field extraction help

getmesomedata — Sun, 09 Jun 2013 17:58:32 GMT

I'm fairly new to Splunk so forgive me if I'm asking the obvious.

I'm creating an app for my RabbitMQ server and I'm having a few issues with one of my field extractions. I've got a script

C:\windows\system32>"C:\Program Files (x86)\RabbitMQ Server\rabbitmq_server-3.0.4\sbin\rabbitmqctl.bat" list_queues

which outputs the following:

Listing queues ...
firstQueue  10
secondQueue 10
whatever    20
...done.

I can write a field extraction to pull out the queue names and the values one by one but I want it to be more dynamic as the number of queues might change over time. So the next time the script runs it might list out 4 entries and so on.

Can anyone advice me on setup my field extractions so it dynamically pulls out the queue names and count values.

Re: field extraction help

starcher — Sat, 15 Jun 2013 02:26:29 GMT

I am not familiar with rabbitMQ and that bat file you are calling. Do you have the ability to modify the output any? If you could get it to output as key value pairs like
firstQueue=10
secondQueue=10

Then Splunk will auto extract all key value pairs on it's own without much coaxing. And that would let you not worry about the dynamic number of queues that might come out.

Re: field extraction help

getmesomedata — Wed, 19 Jun 2013 22:27:47 GMT

Thanks, this worked a treat