Help with Field Extraction for java app log

pcorchary — Mon, 27 Jul 2015 03:59:19 GMT

I'm having trouble getting a Field Extraction that I need and hope for some advice. Below are three examples.
Please let me know if you know something that can help.

I'm looking to extract the time duration for these GC events. It's this [number] right after total. can be like [1.1ms] or [1.1s] or 1.1m

>>> [gc][young][3755449][1020336] duration [1.1s], collections [1]/[1.4s], total [1.1s]/[4.2d]

[03:47:56,437][WARN ][monitor.jvm              ] [hostname] [gc][young][3755449][1020336] duration [1.1s], collections [1]/[1.4s], total [1.1s]/[4.2d], memory [4gb]->[3.8gb]/[7.7gb], all_pools {[young] [226.5mb]->[22.1mb]/[266.2mb]}{[survivor] [33.2mb]->[33.2mb]/[33.2mb]}{[old] [3.7gb]->[3.8gb]/[7.4gb]}
[03:47:56,623][TRACE][action.search.type       ] [hostname] got first-phase result from [F_YNXrlURDuJG5Sy57mKDw][f92104bc60034f1297cfa82c61362519][0]
[03:47:56,623][TRACE][action.search.type       ] [hostname] Moving to second phase, based on results from: [F_YNXrlURDuJG5Sy57mKDw][f92104bc60034f1297cfa82c61362519][0] (cluster state version: 100760)

[03:47:30,529][INFO ][monitor.jvm              ] [hostname] [gc][young][1571804][600909] duration [999ms], collections [1]/[1.1s], total [999ms]/[2.1d], memory [3.4gb]->[3.2gb]/[7.7gb], all_pools {[young] [255.2mb]->[4.9mb]/[266.2mb]}{[survivor] [33.2mb]->[33.2mb]/[33.2mb]}{[old] [3.1gb]->[3.2gb]/[7.4gb]}
[03:47:31,270][TRACE][action.search.type       ] [hostname] got first-phase result from [7rQtwqrvQhuKFlCT9W_bpQ][4f5edec88ad14733a10718db0650005d][2]
[03:47:31,270][TRACE][action.search.type       ] [hostname] Moving to second phase, based on results from: [7rQtwqrvQhuKFlCT9W_bpQ][4f5edec88ad14733a10718db0650005d][2] (cluster state version: 100760)
[03:47:32,983][TRACE][action.search.type       ] [hostname] got first-phase result from [7rQtwqrvQhuKFlCT9W_bpQ][4f5edec88ad14733a10718db0650005d][2]
[03:47:32,983][TRACE][action.search.type       ] [hostname] Moving to second phase, based on results from: [7rQtwqrvQhuKFlCT9W_bpQ][4f5edec88ad14733a10718db0650005d][2] (cluster state version: 100760)

[03:47:23,024][TRACE][action.search.type       ] [hostname] got first-phase result from [RUJK6WhPTvmwSEzFqEnbeA][c747d31b5d64490492def1af877744b4][0]
[03:47:23,024][TRACE][action.search.type       ] [hsotname] Moving to second phase, based on results from: [RUJK6WhPTvmwSEzFqEnbeA][c747d31b5d64490492def1af877744b4][0] (cluster state version: 100760)
[03:47:23,107][INFO ][monitor.jvm              ] [hostname] [gc][young][2692381][1017550] duration [814ms], collections [1]/[1s], total [814ms]/[3.2d], memory [2.5gb]->[2.3gb]/[7.7gb], all_pools {[young] [256.6mb]->[23.2mb]/[266.2mb]}{[survivor] [33.2mb]->[33.2mb]/[33.2mb]}{[old] [2.2gb]->[2.3gb]/[7.4gb]}
[03:47:23,936][TRACE][action.search.type       ] [hostname] got first-phase result from [3p_UQGwfTlKvNjj0HOgHog][fe56a21a62ab5223a2abfa9b5adecb54][3]
[03:47:23,936][TRACE][action.search.type       ] [hostname] Moving to second phase, based on results from: [3p_UQGwfTlKvNjj0HOgHog][fe56a21a62ab5223a2abfa9b5adecb54][3] (cluster state version: 100760)

Re: Help with Field Extraction for java app log

lcrielaa — Mon, 27 Jul 2015 06:43:56 GMT

Easiest would be

| rex field=_raw ".*duration\s\[(?<duration>.*?)\]"

This will capture everything in between the [] after the word "duration". So in your examples, it would be "1.1s", "999ms", and "814ms". Is that what you're looking for?

topic Re: Help with Field Extraction for java app log in Splunk Search

Help with Field Extraction for java app log

Re: Help with Field Extraction for java app log