topic Search split value with spaces in Splunk Search

Search split value with spaces

oferprtz — Mon, 08 Jul 2013 15:18:04 GMT

Hi,

Newbie here 🙂
trying to search value that actually split with spaces:

DEBUG PerformanceMonitor [(null)] - PerformanceMonitor resource: DataBase elapsed : 3250 details: DataBase:
DEBUG PerformanceMonitor [(null)] - PerformanceMonitor resource: DataBase elapsed : 11204 details: DataBase:

im trying to create a search or chart that will min and max the values of the elapsed.
since the values are seperated with spaces i cannot achieve that.

any ideas?

thanks,
ofer

Re: Search split value with spaces

aholzer — Mon, 08 Jul 2013 16:00:57 GMT

I'd suggest creating a field extraction for your values. That way you can later reference the field in your chart and / or search.

You'll need to use some regex to get the values properly. You can use something like this:
"elapsed\s:\s(?[^\s]+)\s"

Here's some documentation on field extraction:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsatsearchtime

Re: Search split value with spaces

aholzer — Mon, 08 Jul 2013 20:57:16 GMT

the regex above is supposed to escape all the "s" after elapsed, but due to formatting it was lost when I pasted it in the comment. Here it is again:
"elapsed\s:\s(?[^\s]+)\s"

Re: Search split value with spaces

oferprtz — Tue, 09 Jul 2013 10:44:30 GMT

Thanks for the quick response aholzer!!
one more question 🙂
ive created new field extraction and saved it, but when i do a search the field 'elapsed' wouldnt show in the fields.
its shows up only when i use this line:
PerformanceMonitor | rex "elapsed\s:\s(?[^\s]+)\s"
in the search line.
what im missing here?

thanks,
ofer.

Re: Search split value with spaces

ranjyotiprakash — Tue, 09 Jul 2013 12:31:20 GMT

you can use the following command rex command to extract the elapsed field :

.... | rex field=_raw ".*\s+elapsed\s+:\s+(?<elapsed>\d+)\s"

and then use timechart, table, stats etc commands based upon your requirement.

Re: Search split value with spaces

aholzer — Tue, 09 Jul 2013 13:09:24 GMT

I'd have to take a look at your field extraction definition, but I'm guessing that you stored it for the wrong sourcetype, or you have a typo.

The other thing that could be happening is that your "elapsed" field occurs so rarely that it isn't one of your "interesting fields", since it doesn't appear in 50% or more of your events. In which case you would see it if you clicked on the "edit" button next to "selected fields" and look for "elapsed".

Re: Search split value with spaces

aholzer — Tue, 09 Jul 2013 13:19:20 GMT

@oferprtz, what @ranjyotiprakash says here is also a good method. I simply prefer creating a field extraction, for a couple of reasons:
1) It helps to be consistent where you store fields of interest to you
2) you don't have to reuse the code in every search you want this field included in

But what @ranjyotiprakash says is a great method to confirm that the regex for the field extraction is in fact working.

Re: Search split value with spaces

oferprtz — Tue, 09 Jul 2013 14:39:35 GMT

Thank you! found the issue, it was set as wrong sourcetype, now its working perfect!

thanks!

Re: Search split value with spaces

oferprtz — Tue, 09 Jul 2013 14:40:43 GMT

great stuff ranjyotiprakash! seems that the search works flawless, now ive got 2 methods of use!

thanks!