topic Re: How to create a table based on certain fields from the Output Results? in Splunk Search

How to create a table based on certain fields from the Output Results?

dwin02 — Wed, 17 Feb 2016 14:46:11 GMT

Hi Splunk Support,

I'm trying to create a table based on certain fields from the Output Results:

Search String:

index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt"

Results :

    1 : dis ql (VIA.EVENT.ACTUTIME.UPD.FOR.ODBS) curdepth
AMQ8409: Display Queue details.
   QUEUE(VIA.EVENT.ACTUTIME.UPD.FOR.ODBS)
   TYPE(QLOCAL)                            CURDEPTH(0)
     2 : dis ql (VIA.EVENT.ACTUTIME.UPD.FOR.ODBS.BO) curdepth
AMQ8409: Display Queue details.
   QUEUE(VIA.EVENT.ACTUTIME.UPD.FOR.ODBS.BO)
   TYPE(QLOCAL)                            CURDEPTH(0)
     3 : dis ql (VIA.EVENT.ACTUTIME.UPD.FOR.OTP) curdepth
AMQ8409: Display Queue details.
   QUEUE(VIA.EVENT.ACTUTIME.UPD.FOR.OTP)   TYPE(QLOCAL)
   CURDEPTH(0)

Table to Create:

QUEUE NAME                          CURRENT_QUEUE_DEPTH
VIA.EVENT.ACTUTIME.UPD.FOR.ODBS     CURDEPTH(0)

Thanks,
Aldwin

Re: How to create a table based on certain fields from the Output Results?

marina_rovira — Wed, 17 Feb 2016 16:24:06 GMT

Have you got fieldname for each of these fields?

Re: How to create a table based on certain fields from the Output Results?

somesoni2 — Wed, 17 Feb 2016 17:43:27 GMT

Try something like this

index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
| rex "QUEUE\((?<QUEUE_NAME>[^\)]+)[\S\s]CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH

Update#1

Try this

 index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
  | rex "QUEUE\((?<QUEUE_NAME>[^\)]+)" | rex "CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH

Re: How to create a table based on certain fields from the Output Results?

dwin02 — Wed, 17 Feb 2016 19:08:45 GMT

Thank you for your suggestion but it's not working.

| rex "QUEUE\((?[^\)]+)[\S\s]CURDEPTH\((?\d+)"

The following regex expression doesn't show the queue name and nor the Current Queue Depth.

I'm trying to find out maybe there's something wrong with the expression but your suggestion is very appreciated.

Thanks,
Aldwin

Re: How to create a table based on certain fields from the Output Results?

somesoni2 — Wed, 17 Feb 2016 19:21:06 GMT

Try this

 index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
 | rex "QUEUE\((?<QUEUE_NAME>[^\)]" | rex "CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH

Re: How to create a table based on certain fields from the Output Results?

dwin02 — Wed, 17 Feb 2016 20:18:27 GMT

Hi Somesoni2,

I'm now getting a result for the rex "CURDEPTH\((?\d+)" but still not working for rex "QUEUE\((?[^\)]".

Please see screenshot attach.

Thanks,
Aldwin

Re: How to create a table based on certain fields from the Output Results?

somesoni2 — Wed, 17 Feb 2016 21:08:59 GMT

Teere is an issue with the regex that I wrote. Fixed in the main answer (see Update#1).

Re: How to create a table based on certain fields from the Output Results?

dwin02 — Wed, 17 Feb 2016 21:25:44 GMT

You mean this one:

index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
 | rex "QUEUE\((?[^\)]+)[\S\s]CURDEPTH\((?\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH

I've tried this and it's not working.
Your second update worked but only for rex "CURDEPTH\((?\d+)", the rex "QUEUE\((?[^\)]" did not work.

Re: How to create a table based on certain fields from the Output Results?

somesoni2 — Wed, 17 Feb 2016 23:18:38 GMT

I mean this

 index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
       | rex "QUEUE\((?<QUEUE_NAME>[^\)]+)" | rex "CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH

Re: How to create a table based on certain fields from the Output Results?

dwin02 — Thu, 18 Feb 2016 02:53:00 GMT

Hi Somesoni2,

Thank you for all your help. It worked perfectly.
If you don't mind, using the same search:

index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" | rex max_match=8 "QUEUE\((?[^\)]+)" | rex max_match=8  "CURDEPTH\((?\d+)"

I just want to show where the value of CURDEPTH is more than let's say 100, I've tried looking at some solutions but can't seem to find the right solution.

Thanks,
Aldwin

Re: How to create a table based on certain fields from the Output Results?

somesoni2 — Thu, 18 Feb 2016 03:37:34 GMT

Just add the filter condition like this at the end of the search

index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
        | rex "QUEUE\((?<QUEUE_NAME>[^\)]+)" | rex "CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH | where CURRENT_QUEUE_DEPTH > 100

Re: How to create a table based on certain fields from the Output Results?

dwin02 — Tue, 29 Sep 2020 08:46:37 GMT

Hi Somesoni,
I've tried that already but it did not work. Even if I change it to where CURRENT_QUEUE_DEPTH > 1 since I only have 4 as the highest current depth.

Thanks,
Aldwin

Re: How to create a table based on certain fields from the Output Results?

somesoni2 — Thu, 18 Feb 2016 04:52:30 GMT

Do you you've multiple queues in single events and want to sum all the queue depth in each event and compare it to100? Or do you want to sum queue depth of all events and compare with 100?

Re: How to create a table based on certain fields from the Output Results?

dwin02 — Thu, 18 Feb 2016 05:19:32 GMT

It would need to this one :

Do you you've multiple queues in single events and want to sum all the queue depth in each event and compare it to100?