Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Get numbers

pudanelilita
Explorer
‎08-26-2019 04:31 AM

Hi,
I need to get numbers between event.
1) event: Heap: 12.8G(15.0G), and 12.8 all the time is changing, and I need 15.0?
need to get this number 15.0 .

2) Also for some reason, when I try this search query it shows no outputs.
Event:
[Eden: 180.0M(6104.0M)->0.0B(6104.0M) Survivors: 0.0B->0.0B Heap: 3159.0M(12.0G)->2979.3M(12.0G)], [Metaspace: 535433K->535433K(1574912K)]

Query:
| rex Metaspace:\s(?\d+\.\d)\w | table metaspacenum | head 10

output in Statics there there is noting, just empty tables
tried to exclude with | search metaspacenum!=" "
but it didn't helped!

Tags (1)
0 Karma
Reply

jpolvino
Builder
‎08-26-2019 05:08 AM

Whichever solution you select, please consider making a macro to do your JVM metric extractions. We have such a solution, which is a series of rex statements, which produces a lot of useful fields.

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-26-2019 10:42 AM

hint: why not create a TA with those regexes? 😉

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

jpolvino
Builder
‎08-26-2019 11:12 AM

Sure, a "Technology Add-on" is a great option to make them available to everyone. We happen to use macros for this case because they can be modified without admin involvement, and don't take up field storage space. One drawback is speed, but we use it infrequently so the trade-off is tolerable.

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-29-2019 04:57 AM

hm.. what do you mean with field storage space? it will just move the extraction rex expressions from search spl to props/transforms making the extraction useful for everyone using the platform (depending on permissions ofc). IMO its easier to maintain and its easier to handle permissions than a macro is.

Also It will only use more storage space if you make them indexed extractions which it doesn't need to be the case. 😉

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-26-2019 04:51 AM

You can extract the values like this:

|rex "Heap:\s+(?<field1>[^\(]+)\((?<field2>[^\)]+)\)"

You can change field1 and field2 for whatever name you want to call the 12k part and the 15k part
Validate your regex here:
https://regex101.com/r/pY9RJu/1

Regarding your 2) your regex does not have a named capture group. so whatever field you're trying to filter results on does not exist. So its correct to show no results.
Try this instead:
| rex Metaspace:\s(?<metaspacenum>[\d\.]+)

Check your regex here https://regex101.com/r/Gp6vfD/1

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

Sukisen1981
Champion
‎08-26-2019 04:45 AM

for 2 try this

| makeresults
| eval x="[Eden: 180.0M(6104.0M)->0.0B(6104.0M) Survivors: 0.0B->0.0B Heap: 3159.0M(12.0G)->2979.3M(12.0G)], [Metaspace: 535433K->535433K(1574912K)]" 
|  rex field=x "Metaspace:(?<orig>.*?)\K->"
|  rex field=x ".*\((?<new>.*?)\)"

for 1, i think you added text to the event? where does Heap:.... end

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...