topic How to parse p4 logs in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-parse-p4-logs/m-p/529133#M149393 <P>&nbsp;</P><P><SPAN class="t"><SPAN class="t h">2020</SPAN>/11/12</SPAN> <SPAN class="t">12:37:17</SPAN> <SPAN class="t">pid</SPAN> <SPAN class="t">282689</SPAN> <SPAN class="t">compute</SPAN> <SPAN class="t">end</SPAN> <SPAN class="t">.028s</SPAN> <SPAN class="t">23</SPAN><SPAN>+</SPAN><SPAN class="t">5us</SPAN> <SPAN class="t">0</SPAN><SPAN>+</SPAN><SPAN class="t">32io</SPAN> <SPAN class="t">0</SPAN><SPAN>+</SPAN><SPAN class="t">0net</SPAN> <SPAN class="t">16472k</SPAN> <SPAN class="t">0pf</SPAN> <SPAN class="t">Perforce</SPAN> <SPAN class="t">server</SPAN> <SPAN class="t">info:</SPAN> <SPAN class="t">Server</SPAN> <SPAN class="t">network</SPAN> <SPAN class="t">estimates:</SPAN> <SPAN class="t">files</SPAN> <SPAN class="t">added/updated/deleted=0/0/0</SPAN><SPAN>, </SPAN><SPAN class="t">bytes</SPAN> <SPAN class="t">added/updated=0/0</SPAN></P><P><SPAN class="t">2020/11/12</SPAN> <SPAN class="t">08:53:57</SPAN> <SPAN class="t">pid</SPAN> <SPAN class="t">249917</SPAN>&nbsp;xyz@admin-client-for-stag&nbsp;<SPAN class="t">127.0.0.1</SPAN><SPAN> [</SPAN><SPAN class="t">p4/2018.1/LINUX26X86_64/1738923</SPAN><SPAN>] '</SPAN><SPAN class="t">user-sizes</SPAN> <SPAN class="t">//ddc/...</SPAN><SPAN>' --</SPAN><SPAN class="t">-</SPAN> <SPAN class="t a"><SPAN class="t">lapse</SPAN></SPAN> <SPAN class="t">98.5s</SPAN><SPAN> --</SPAN><SPAN class="t">-</SPAN> <SPAN class="t">rpc</SPAN> <SPAN class="t">msgs/size</SPAN> <SPAN class="t">in</SPAN><SPAN>+</SPAN><SPAN class="t">out</SPAN> <SPAN class="t">0</SPAN><SPAN>+</SPAN><SPAN class="t">1814189/0mb</SPAN><SPAN>+</SPAN><SPAN class="t">509mb</SPAN> <SPAN class="t">himarks</SPAN> <SPAN class="t">795800/318788</SPAN> <SPAN class="t">snd/rcv</SPAN> <SPAN class="t">92.8s/.000s</SPAN><SPAN> --</SPAN><SPAN class="t">-</SPAN> <SPAN class="t">db.revhx</SPAN><SPAN> --</SPAN><SPAN class="t">-</SPAN> <SPAN class="t">locks</SPAN> <SPAN class="t">read/write</SPAN> <SPAN class="t">1/0</SPAN> <SPAN class="t">rows</SPAN> <SPAN class="t">get</SPAN><SPAN>+</SPAN><SPAN class="t">pos</SPAN><SPAN>+</SPAN><SPAN class="t">scan</SPAN> <SPAN class="t">put</SPAN><SPAN>+</SPAN><SPAN class="t">del</SPAN> <SPAN class="t">0</SPAN><SPAN>+</SPAN><SPAN class="t">1</SPAN><SPAN>+</SPAN><SPAN class="t">1814190</SPAN> <SPAN class="t">0</SPAN><SPAN>+0</SPAN></P><P>&nbsp;</P><P><SPAN><SPAN class="t">2020/11/12</SPAN> <SPAN class="t">08:21:39</SPAN> <SPAN class="t">pid</SPAN> <SPAN class="t">245315</SPAN>&nbsp;xyz<SPAN class="t"><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/808">@Admin</a>-client-for-stag</SPAN>&nbsp;<SPAN class="t">127.0.0.1</SPAN> [<SPAN class="t">p4/2018.1/LINUX26X86_64/1738923</SPAN>] '<SPAN class="t">user-sizes</SPAN> <SPAN class="t">-s</SPAN> <SPAN class="t">-a</SPAN> <SPAN class="t">-b</SPAN> <SPAN class="t">512</SPAN> <SPAN class="t">//mapgrp/...</SPAN>' --<SPAN class="t">-</SPAN> <SPAN class="t a"><SPAN class="t">lapse</SPAN></SPAN> <SPAN class="t">106s</SPAN> --<SPAN class="t">-</SPAN> <SPAN class="t">usage</SPAN> <SPAN class="t">51584</SPAN>+<SPAN class="t">13969us</SPAN> <SPAN class="t">75284368</SPAN>+<SPAN class="t">0io</SPAN> <SPAN class="t">0</SPAN>+<SPAN class="t">0net</SPAN> <SPAN class="t">8832k</SPAN> <SPAN class="t">0pf</SPAN> --<SPAN class="t">-</SPAN> <SPAN class="t">db.rev</SPAN> --<SPAN class="t">-</SPAN> <SPAN class="t">pages</SPAN> <SPAN class="t">in</SPAN>+<SPAN class="t">out</SPAN>+<SPAN class="t">cached</SPAN> <SPAN class="t">4704508</SPAN>+<SPAN class="t">0</SPAN>+<SPAN class="t">96</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN><SPAN class="t">2020/11/12 08:14:10 pid 243592&nbsp;yyyz@admin-client-for-stag&nbsp;127.0.0.1 [p4/2018.1/LINUX26X86_64/1738923] 'user-sizes -s -a -b 512 //projects/...' --- <SPAN class="t a">lapse</SPAN> 80.4s --- usage 38774+9874us 49562128+0io 0+0net 8832k 0pf --- db.rev --- pages in+out+cached 3374543+0+96</SPAN></SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN class="t">I have logs which shows lapse in seconds , they are several other logs along with this , i want to extract if logs pattern contains lapse and if lapse is greater than 100s ,and then print "<A href="mailto:p4admin@admin-client-for-stag-21&quot;" target="_blank" rel="noopener">xyz@admin-client-for-stag-21"</A>&nbsp;who is the user who did this change ,may be extract only </SPAN></P><LI-SPOILER>xyz</LI-SPOILER><P>user</P><P>&nbsp;</P><P><SPAN class="t">Any help ?</SPAN></P><P>&nbsp;</P><P><SPAN class="t">Thanks,</SPAN></P> Thu, 12 Nov 2020 13:19:24 GMT vinodarokiya 2020-11-12T13:19:24Z How to parse p4 logs https://community.splunk.com/t5/Splunk-Search/How-to-parse-p4-logs/m-p/529133#M149393 <P>&nbsp;</P><P><SPAN class="t"><SPAN class="t h">2020</SPAN>/11/12</SPAN> <SPAN class="t">12:37:17</SPAN> <SPAN class="t">pid</SPAN> <SPAN class="t">282689</SPAN> <SPAN class="t">compute</SPAN> <SPAN class="t">end</SPAN> <SPAN class="t">.028s</SPAN> <SPAN class="t">23</SPAN><SPAN>+</SPAN><SPAN class="t">5us</SPAN> <SPAN class="t">0</SPAN><SPAN>+</SPAN><SPAN class="t">32io</SPAN> <SPAN class="t">0</SPAN><SPAN>+</SPAN><SPAN class="t">0net</SPAN> <SPAN class="t">16472k</SPAN> <SPAN class="t">0pf</SPAN> <SPAN class="t">Perforce</SPAN> <SPAN class="t">server</SPAN> <SPAN class="t">info:</SPAN> <SPAN class="t">Server</SPAN> <SPAN class="t">network</SPAN> <SPAN class="t">estimates:</SPAN> <SPAN class="t">files</SPAN> <SPAN class="t">added/updated/deleted=0/0/0</SPAN><SPAN>, </SPAN><SPAN class="t">bytes</SPAN> <SPAN class="t">added/updated=0/0</SPAN></P><P><SPAN class="t">2020/11/12</SPAN> <SPAN class="t">08:53:57</SPAN> <SPAN class="t">pid</SPAN> <SPAN class="t">249917</SPAN>&nbsp;xyz@admin-client-for-stag&nbsp;<SPAN class="t">127.0.0.1</SPAN><SPAN> [</SPAN><SPAN class="t">p4/2018.1/LINUX26X86_64/1738923</SPAN><SPAN>] '</SPAN><SPAN class="t">user-sizes</SPAN> <SPAN class="t">//ddc/...</SPAN><SPAN>' --</SPAN><SPAN class="t">-</SPAN> <SPAN class="t a"><SPAN class="t">lapse</SPAN></SPAN> <SPAN class="t">98.5s</SPAN><SPAN> --</SPAN><SPAN class="t">-</SPAN> <SPAN class="t">rpc</SPAN> <SPAN class="t">msgs/size</SPAN> <SPAN class="t">in</SPAN><SPAN>+</SPAN><SPAN class="t">out</SPAN> <SPAN class="t">0</SPAN><SPAN>+</SPAN><SPAN class="t">1814189/0mb</SPAN><SPAN>+</SPAN><SPAN class="t">509mb</SPAN> <SPAN class="t">himarks</SPAN> <SPAN class="t">795800/318788</SPAN> <SPAN class="t">snd/rcv</SPAN> <SPAN class="t">92.8s/.000s</SPAN><SPAN> --</SPAN><SPAN class="t">-</SPAN> <SPAN class="t">db.revhx</SPAN><SPAN> --</SPAN><SPAN class="t">-</SPAN> <SPAN class="t">locks</SPAN> <SPAN class="t">read/write</SPAN> <SPAN class="t">1/0</SPAN> <SPAN class="t">rows</SPAN> <SPAN class="t">get</SPAN><SPAN>+</SPAN><SPAN class="t">pos</SPAN><SPAN>+</SPAN><SPAN class="t">scan</SPAN> <SPAN class="t">put</SPAN><SPAN>+</SPAN><SPAN class="t">del</SPAN> <SPAN class="t">0</SPAN><SPAN>+</SPAN><SPAN class="t">1</SPAN><SPAN>+</SPAN><SPAN class="t">1814190</SPAN> <SPAN class="t">0</SPAN><SPAN>+0</SPAN></P><P>&nbsp;</P><P><SPAN><SPAN class="t">2020/11/12</SPAN> <SPAN class="t">08:21:39</SPAN> <SPAN class="t">pid</SPAN> <SPAN class="t">245315</SPAN>&nbsp;xyz<SPAN class="t"><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/808">@Admin</a>-client-for-stag</SPAN>&nbsp;<SPAN class="t">127.0.0.1</SPAN> [<SPAN class="t">p4/2018.1/LINUX26X86_64/1738923</SPAN>] '<SPAN class="t">user-sizes</SPAN> <SPAN class="t">-s</SPAN> <SPAN class="t">-a</SPAN> <SPAN class="t">-b</SPAN> <SPAN class="t">512</SPAN> <SPAN class="t">//mapgrp/...</SPAN>' --<SPAN class="t">-</SPAN> <SPAN class="t a"><SPAN class="t">lapse</SPAN></SPAN> <SPAN class="t">106s</SPAN> --<SPAN class="t">-</SPAN> <SPAN class="t">usage</SPAN> <SPAN class="t">51584</SPAN>+<SPAN class="t">13969us</SPAN> <SPAN class="t">75284368</SPAN>+<SPAN class="t">0io</SPAN> <SPAN class="t">0</SPAN>+<SPAN class="t">0net</SPAN> <SPAN class="t">8832k</SPAN> <SPAN class="t">0pf</SPAN> --<SPAN class="t">-</SPAN> <SPAN class="t">db.rev</SPAN> --<SPAN class="t">-</SPAN> <SPAN class="t">pages</SPAN> <SPAN class="t">in</SPAN>+<SPAN class="t">out</SPAN>+<SPAN class="t">cached</SPAN> <SPAN class="t">4704508</SPAN>+<SPAN class="t">0</SPAN>+<SPAN class="t">96</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN><SPAN class="t">2020/11/12 08:14:10 pid 243592&nbsp;yyyz@admin-client-for-stag&nbsp;127.0.0.1 [p4/2018.1/LINUX26X86_64/1738923] 'user-sizes -s -a -b 512 //projects/...' --- <SPAN class="t a">lapse</SPAN> 80.4s --- usage 38774+9874us 49562128+0io 0+0net 8832k 0pf --- db.rev --- pages in+out+cached 3374543+0+96</SPAN></SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN class="t">I have logs which shows lapse in seconds , they are several other logs along with this , i want to extract if logs pattern contains lapse and if lapse is greater than 100s ,and then print "<A href="mailto:p4admin@admin-client-for-stag-21&quot;" target="_blank" rel="noopener">xyz@admin-client-for-stag-21"</A>&nbsp;who is the user who did this change ,may be extract only </SPAN></P><LI-SPOILER>xyz</LI-SPOILER><P>user</P><P>&nbsp;</P><P><SPAN class="t">Any help ?</SPAN></P><P>&nbsp;</P><P><SPAN class="t">Thanks,</SPAN></P> Thu, 12 Nov 2020 13:19:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-parse-p4-logs/m-p/529133#M149393 vinodarokiya 2020-11-12T13:19:24Z Re: How to parse p4 logs https://community.splunk.com/t5/Splunk-Search/How-to-parse-p4-logs/m-p/529140#M149396 <P>See if this helps.</P><LI-CODE lang="markup">... | rex "pid \d+ (?&lt;user&gt;\S+@\S+)" | rex "lapse (?&lt;lapse&gt;\d+\.?\d+)" | where lapse &gt; 100 | table user lapse</LI-CODE> Thu, 12 Nov 2020 13:45:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-parse-p4-logs/m-p/529140#M149396 richgalloway 2020-11-12T13:45:08Z Re: How to parse p4 logs https://community.splunk.com/t5/Splunk-Search/How-to-parse-p4-logs/m-p/529149#M149400 <P>Thanks a lot</P> Thu, 12 Nov 2020 14:28:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-parse-p4-logs/m-p/529149#M149400 vinodarokiya 2020-11-12T14:28:03Z Re: How to parse p4 logs https://community.splunk.com/t5/Splunk-Search/How-to-parse-p4-logs/m-p/529256#M149445 <P>May I please know how to extract one more table with all data that s there inside single quotes like :</P><P><SPAN>'</SPAN><SPAN class="t">user-sizes</SPAN> <SPAN class="t">//ddc/...</SPAN><SPAN>'</SPAN></P><P><SPAN>After getting username , lapse ,how do we even print data that s within single quotes <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</SPAN></P> Fri, 13 Nov 2020 08:10:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-parse-p4-logs/m-p/529256#M149445 vinodarokiya 2020-11-13T08:10:37Z Re: How to parse p4 logs https://community.splunk.com/t5/Splunk-Search/How-to-parse-p4-logs/m-p/529307#M149474 <P>The process is very similar</P><LI-CODE lang="markup">... | rex "'(?&lt;field1&gt;[^\/]+)\/(?&lt;field2&gt;[^\/]*)\/(?&lt;field3&gt;[^\/]+)\/(?&lt;field4&gt;[^']+)'" ...</LI-CODE> Fri, 13 Nov 2020 14:13:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-parse-p4-logs/m-p/529307#M149474 richgalloway 2020-11-13T14:13:43Z Re: How to parse p4 logs https://community.splunk.com/t5/Splunk-Search/How-to-parse-p4-logs/m-p/530049#M149753 Thank you! Thu, 19 Nov 2020 08:37:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-parse-p4-logs/m-p/530049#M149753 vinodarokiya 2020-11-19T08:37:01Z