https://community.splunk.com/t5/Splunk-Search/rex-fields-from-nix-netstat-output/m-p/162822#M186016 <P>Hello,</P> <P>I am trying to graph the "packet receive error" value over time for one of our servers. This is a value returned from the *nix netstat command. The search query I am using is:</P> <P>index=os host=ourServerName source=netstat packet | rex "(?<PACKET_ERRORS>.*)\spacket receive errors" | timechart last(packet_errors)</PACKET_ERRORS></P> <P>No values are showing up in the results chart or in the packet_errors column of the results table. The Events List of the result set shows this:</P> <P><EM>... 336 lines omitted ...<BR /> 81551449019 packets received<BR /><BR /> 117791511 packets to unknown port received.<BR /> 72260802 packet receive errors<BR /><BR /> 47604771227 packets sent<BR /><BR /> ... 12 lines omitted ...<BR /> 3081684486 packets directly queued to recvmsg<BR /> 1075841087 packets directly received from backlog<BR /> 1579575698098 packets directly received from prequeue<BR /> 811125365 packets header predicted<BR /><BR /> 2953985762 packets header predicted and directly<BR /> ... 2 lines omitted ...</EM></P> <P>I tried using the Extract Fields feature but Splunk is telling me that no regex could be learned when I tried submitting the Extract Fields form with an example value of "72260802". I've been trying a variety of different rex'es but none have worked. The value I am trying to extract in the Event List example above is "72260802".</P> <P>Anyone have any tips or tricks to extracting this value?</P> <P>Thanks,<BR /> Chris</P> Mon, 02 Dec 2013 19:10:13 GMT bearlmax 2013-12-02T19:10:13Z https://community.splunk.com/t5/Splunk-Search/rex-fields-from-nix-netstat-output/m-p/162822#M186016 <P>Hello,</P> <P>I am trying to graph the "packet receive error" value over time for one of our servers. This is a value returned from the *nix netstat command. The search query I am using is:</P> <P>index=os host=ourServerName source=netstat packet | rex "(?<PACKET_ERRORS>.*)\spacket receive errors" | timechart last(packet_errors)</PACKET_ERRORS></P> <P>No values are showing up in the results chart or in the packet_errors column of the results table. The Events List of the result set shows this:</P> <P><EM>... 336 lines omitted ...<BR /> 81551449019 packets received<BR /><BR /> 117791511 packets to unknown port received.<BR /> 72260802 packet receive errors<BR /><BR /> 47604771227 packets sent<BR /><BR /> ... 12 lines omitted ...<BR /> 3081684486 packets directly queued to recvmsg<BR /> 1075841087 packets directly received from backlog<BR /> 1579575698098 packets directly received from prequeue<BR /> 811125365 packets header predicted<BR /><BR /> 2953985762 packets header predicted and directly<BR /> ... 2 lines omitted ...</EM></P> <P>I tried using the Extract Fields feature but Splunk is telling me that no regex could be learned when I tried submitting the Extract Fields form with an example value of "72260802". I've been trying a variety of different rex'es but none have worked. The value I am trying to extract in the Event List example above is "72260802".</P> <P>Anyone have any tips or tricks to extracting this value?</P> <P>Thanks,<BR /> Chris</P> Mon, 02 Dec 2013 19:10:13 GMT https://community.splunk.com/t5/Splunk-Search/rex-fields-from-nix-netstat-output/m-p/162822#M186016 bearlmax 2013-12-02T19:10:13Z https://community.splunk.com/t5/Splunk-Search/rex-fields-from-nix-netstat-output/m-p/162823#M186017 <P>Something like this should work, not much different from what you had:</P> <PRE><CODE>rex "(?&lt;packet_errors&gt;\d+)\s+packet\s+receive\s+errors" </CODE></PRE> Mon, 02 Dec 2013 19:49:34 GMT https://community.splunk.com/t5/Splunk-Search/rex-fields-from-nix-netstat-output/m-p/162823#M186017 lukejadamec 2013-12-02T19:49:34Z https://community.splunk.com/t5/Splunk-Search/rex-fields-from-nix-netstat-output/m-p/162824#M186018 <P>Thank you. You got me on the right track. Looks like there are two spaces in between the words in the phrase "packet receive errors". So this search works for me:</P> <P>index=os host=myServerName source=netstat packet | rex "(?<PACKET_ERRORS>\d+)\s\spacket\s\sreceive\s\serrors" | timechart last(packet_errors)</PACKET_ERRORS></P> <P>Thanks again.</P> Mon, 02 Dec 2013 20:48:32 GMT https://community.splunk.com/t5/Splunk-Search/rex-fields-from-nix-netstat-output/m-p/162824#M186018 bearlmax 2013-12-02T20:48:32Z https://community.splunk.com/t5/Splunk-Search/rex-fields-from-nix-netstat-output/m-p/162825#M186019 <P>yer welcome.</P> <P>For one or more in regex you can use a plus sign.</P> Mon, 02 Dec 2013 20:51:52 GMT https://community.splunk.com/t5/Splunk-Search/rex-fields-from-nix-netstat-output/m-p/162825#M186019 lukejadamec 2013-12-02T20:51:52Z