topic Re: splunk SPL command to filter events in Splunk Search

splunk SPL command to filter events

vw5qb73 — Tue, 29 Sep 2020 08:53:40 GMT

Hi - I am indexing a JMX GC log in splunk. It has following entries

29800.962: [Full GC 29800.962: [CMS29805.756: [CMS-concurrent-mark: 8.059/8.092 secs] [Times: user=11.76 sys=0.40, real=8.09 secs]
host = APP01 source = /export/home/jboss/jboss-4.3.0/server/main/log/gcverbose.10645.log sourcetype = gc_log_abc

Currently i use sourcetype=gc_log_bizx FULL "user=30*" to filter events where user time is taking 30s

I need to refine this query further to get all events where user= value is more than 30s

Can any one help me?

Re: splunk SPL command to filter events

fdi01 — Tue, 23 Feb 2016 09:29:18 GMT

try like :

sourcetype=gc_log_bizx FULL "user>30*"

Re: splunk SPL command to filter events

vw5qb73 — Tue, 23 Feb 2016 09:54:20 GMT

No, it didnt worked. Pls note events can be like

[Times: user=11.76 sys=0.40, real=8.09 secs]
[Times: user=30.76 sys=0.40, real=8.09 secs]

Re: splunk SPL command to filter events

javiergn — Tue, 23 Feb 2016 09:54:43 GMT

If Splunk is extracting those key value pairs automatically you can simply do:

sourcetype=gc_log_bizx FULL user>30

If not, then extract the user field first and then use it:

sourcetype=gc_log_bizx FULL
| rex field=_raw "user=(?<user>[\d\.]+)"
| where user > 30

Re: splunk SPL command to filter events

vw5qb73 — Tue, 23 Feb 2016 10:06:52 GMT

Thank You..this is what i was looking for..Do you know any splunk doc that talks about rules to extract field values using regex?

Re: splunk SPL command to filter events

javiergn — Tue, 23 Feb 2016 10:11:45 GMT

Any of the following might help:

http://docs.splunk.com/Documentation/Splunk/6.3.3/Search/Extractfieldswithsearchcommands
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Managesearch-timefieldextractions
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/ExtractfieldsinteractivelywithIFX

Re: splunk SPL command to filter events

vw5qb73 — Wed, 24 Feb 2016 06:23:13 GMT

Yes. Thank You

Re: splunk SPL command to filter events

vw5qb73 — Tue, 29 Sep 2020 08:56:19 GMT

Hi -

how do i extract these fields?

[GC 44625.964: [ParNew: 929756K->161792K(1071552K), 0.0821116 secs] 10302433K->9534469K(13121984K), 0.0823159 secs] [Times: user=0.63 sys=0.00, real=0.08 secs]

10302433K – JVM_HeapUsedBeforeGC
9534469K - JVM_HeapUsedAfterGC
13121984K - JVM_HeapSize
0.0823159 secs - JVM_GCTimeTaken

Can you help?

Re: splunk SPL command to filter events

javiergn — Fri, 26 Feb 2016 09:43:36 GMT

(?msi)\[GC\s+[\d\.]+:\s+\[ParNew:[^\]]+\]\s+(?<JVM_HeapUsedBeforeGC>[\d\.KM]+)->(?<JVM_HeapUsedAfterGC>[\d\.KM]+)\((?<JVM_HeapSize>[\d\.KM]+)\),\s+(?<JVM_GCTimeTaken>[\d\.]+ secs)\]\s+\[Times: user=(?<user>[\d\.]+)

See this: https://regex101.com/r/bO9iP8/1

Re: splunk SPL command to filter events

vw5qb73 — Fri, 26 Feb 2016 09:56:18 GMT

Is it using rex command? i tried above in splunk search and got error

Re: splunk SPL command to filter events

javiergn — Fri, 26 Feb 2016 10:05:48 GMT

Yeah, I only pasted the regular expression. You can use it with rex but the important bit is that you can rely on resources such as regex101 to test this out very easily.

rex field=_raw "(?msi)\[GC\s+[\d\.]+:\s+\[ParNew:[^\]]+\]\s+(?<JVM_HeapUsedBeforeGC>[\d\.KM]+)->(?<JVM_HeapUsedAfterGC>[\d\.KM]+)\((?<JVM_HeapSize>[\d\.KM]+)\),\s+(?<JVM_GCTimeTaken>[\d\.]+ secs)\]\s+\[Times: user=(?<user>[\d\.]+)"