topic Re: Unable to do timechart for a field which has varying values in Splunk Search

Unable to do timechart for a field which has varying values

anoopambli — Sun, 16 Oct 2016 13:38:16 GMT

I am extracting a field using regular expression, it looks like below, These are top 5 processes which is consuming high memory

SiteScope.exe MemGB : 4886
perfmon.exe MemGB : 282
svchost.exe MemGB : 172
powershell.exe MemGB : 125
WmiApSrv.exe MemGB : 107
SiteScope.exe MemGB : 4885
perfmon.exe MemGB : 282
svchost.exe MemGB : 172
powershell.exe MemGB : 125
WmiApSrv.exe MemGB : 107
SiteScope.exe MemGB : 4884
perfmon.exe MemGB : 282
svchost.exe MemGB : 172
powershell.exe MemGB : 125

I am splitting the process name and memory usage again using regex. Once i do that there is be 5 process names but many numbers of memory usage values (during the selected time frame). I want to do a timechart for memory usage but it is not coming up correctly. When i do a table for Processname and memory, each event is coming up with 5 proc names and mem usage. How do i split them into separate events?

Re: Unable to do timechart for a field which has varying values

sundareshr — Sun, 16 Oct 2016 14:40:50 GMT

Please share your query (including the regex)

Re: Unable to do timechart for a field which has varying values

anoopambli — Tue, 29 Sep 2020 11:23:58 GMT

index = tso_operations sourcetype = sitescope_monitorstate host = tsmonw24prdv "[TSMONW46PRDV] Top 10 Proc_Mem" | rex max_match=5 "Name\s+:\s+(?\S+\sMemGB\s:\s\d+)" | rex field=Process "(?^\w+).exe\sMemGB\s:\s(?\d+)"

Re: Unable to do timechart for a field which has varying values

richgalloway — Sun, 16 Oct 2016 17:52:28 GMT

Is the sample data a single event or multiple events?

Re: Unable to do timechart for a field which has varying values

somesoni2 — Sun, 16 Oct 2016 19:23:47 GMT

You would need mvexpand command to split a multivalued field. Give this a try

index = tso_operations sourcetype = sitescope_monitorstate host = tsmonw24prdv "[TSMONW46PRDV] Top 10 Proc_Mem" | rex max_match=5 "Name\s+:\s+(?<Process>\S+\sMemGB\s:\s\d+)" | mvexpand Process | rex field=Process "^(?<Process>\w+).exe\sMemGB\s:\s(?<MemGB>\d+)" | timechart max(MemGB) by Process limit=0

Re: Unable to do timechart for a field which has varying values

anoopambli — Mon, 17 Oct 2016 04:09:00 GMT

That worked. Thank you very much.

Re: Unable to do timechart for a field which has varying values

sloshburch — Mon, 17 Oct 2016 21:10:13 GMT

Isn't this info also available from the top input in the Nix TA? I thought both Win and Nix TAs had nice definitions of data collections and sourcetypes for this type of info.