topic Get numbers in Splunk Search

Get numbers

pudanelilita — Mon, 26 Aug 2019 11:31:45 GMT

Hi,
I need to get numbers between event.
1) event: Heap: 12.8G(15.0G), and 12.8 all the time is changing, and I need 15.0?
need to get this number 15.0 .

2) Also for some reason, when I try this search query it shows no outputs.
Event:
[Eden: 180.0M(6104.0M)->0.0B(6104.0M) Survivors: 0.0B->0.0B Heap: 3159.0M(12.0G)->2979.3M(12.0G)], [Metaspace: 535433K->535433K(1574912K)]

Query:
| rex Metaspace:\s(?\d+\.\d)\w | table metaspacenum | head 10

output in Statics there there is noting, just empty tables
tried to exclude with | search metaspacenum!=" "
but it didn't helped!

Re: Get numbers

Sukisen1981 — Mon, 26 Aug 2019 11:45:27 GMT

for 2 try this

| makeresults
| eval x="[Eden: 180.0M(6104.0M)->0.0B(6104.0M) Survivors: 0.0B->0.0B Heap: 3159.0M(12.0G)->2979.3M(12.0G)], [Metaspace: 535433K->535433K(1574912K)]" 
|  rex field=x "Metaspace:(?<orig>.*?)\K->"
|  rex field=x ".*\((?<new>.*?)\)"

for 1, i think you added text to the event? where does Heap:.... end

Re: Get numbers

diogofgm — Mon, 26 Aug 2019 11:51:01 GMT

You can extract the values like this:

|rex "Heap:\s+(?<field1>[^\(]+)\((?<field2>[^\)]+)\)"

You can change field1 and field2 for whatever name you want to call the 12k part and the 15k part
Validate your regex here:
https://regex101.com/r/pY9RJu/1

Regarding your 2) your regex does not have a named capture group. so whatever field you're trying to filter results on does not exist. So its correct to show no results.
Try this instead:
| rex Metaspace:\s(?<metaspacenum>[\d\.]+)

Check your regex here https://regex101.com/r/Gp6vfD/1

Re: Get numbers

jpolvino — Mon, 26 Aug 2019 12:08:29 GMT

Whichever solution you select, please consider making a macro to do your JVM metric extractions. We have such a solution, which is a series of rex statements, which produces a lot of useful fields.

Re: Get numbers

diogofgm — Mon, 26 Aug 2019 17:42:56 GMT

hint: why not create a TA with those regexes? 😉

Re: Get numbers

jpolvino — Mon, 26 Aug 2019 18:12:02 GMT

Sure, a "Technology Add-on" is a great option to make them available to everyone. We happen to use macros for this case because they can be modified without admin involvement, and don't take up field storage space. One drawback is speed, but we use it infrequently so the trade-off is tolerable.

Re: Get numbers

diogofgm — Thu, 29 Aug 2019 11:57:37 GMT

hm.. what do you mean with field storage space? it will just move the extraction rex expressions from search spl to props/transforms making the extraction useful for everyone using the platform (depending on permissions ofc). IMO its easier to maintain and its easier to handle permissions than a macro is.

Also It will only use more storage space if you make them indexed extractions which it doesn't need to be the case. 😉