Trying to report % Processor Time per-process (instance) however the raw data isn't being correctly extracted it seems, with the data being truncated at a comma.
Each event collected from PerfMon has a line with a value for instance. A raw event looks like this:
11/02/2018 23:04:07.988 -0600
collection="Processor Information"
object="Processor Information"
counter="% Processor Time"
instance=0,0
Value=3.343537056348178
The problem arises when trying to differentiate values across 16 possible threads on a Xeon 8 Core Hyper-threaded server where the instance values all report like follows:
instance=0,0
instance=0,1
instance=0,2
instance=0,3
...
instance=0,12
instance=0,13
instance=0,14
instance=0,15
The Windows TA is only extracting the Instance=0 portion causing the last digit to be chopped off at the comma.
What would need to be changed in order to correct the extraction for these individual cpu core values?
You'd need to
(?m)^instance=(?<instance>[^\r\n]+)
. That will overwrite the default key=value extraction which assumes unquoted values can be separated and therefore terminated by commas.You'd need to
(?m)^instance=(?<instance>[^\r\n]+)
. That will overwrite the default key=value extraction which assumes unquoted values can be separated and therefore terminated by commas.Thanks, @martin_mueller. Creating the Extract in my Search Cloud as you described extracted the correct instances!