Solved: Re: splunk SPL command to filter events

vw5qb73 · ‎02-23-2016

Hi - I am indexing a JMX GC log in splunk. It has following entries

29800.962: [Full GC 29800.962: [CMS29805.756: [CMS-concurrent-mark: 8.059/8.092 secs] [Times: user=11.76 sys=0.40, real=8.09 secs]
host = APP01 source = /export/home/jboss/jboss-4.3.0/server/main/log/gcverbose.10645.log sourcetype = gc_log_abc

Currently i use sourcetype=gc_log_bizx FULL "user=30*" to filter events where user time is taking 30s

I need to refine this query further to get all events where user= value is more than 30s

Can any one help me?

javiergn · ‎02-23-2016

If Splunk is extracting those key value pairs automatically you can simply do:

sourcetype=gc_log_bizx FULL user>30

If not, then extract the user field first and then use it:

sourcetype=gc_log_bizx FULL
| rex field=_raw "user=(?<user>[\d\.]+)"
| where user > 30

View solution in original post

javiergn · ‎02-23-2016

If Splunk is extracting those key value pairs automatically you can simply do:

sourcetype=gc_log_bizx FULL user>30

If not, then extract the user field first and then use it:

sourcetype=gc_log_bizx FULL
| rex field=_raw "user=(?<user>[\d\.]+)"
| where user > 30

vw5qb73 · ‎02-23-2016

Thank You..this is what i was looking for..Do you know any splunk doc that talks about rules to extract field values using regex?

javiergn · ‎02-23-2016

Any of the following might help:

http://docs.splunk.com/Documentation/Splunk/6.3.3/Search/Extractfieldswithsearchcommands
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Createandmaintainsearch-timefieldextract...
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Managesearch-timefieldextractions
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/ExtractfieldsinteractivelywithIFX

vw5qb73 · ‎02-23-2016

Yes. Thank You

vw5qb73 · ‎02-26-2016

Hi -

how do i extract these fields?

[GC 44625.964: [ParNew: 929756K->161792K(1071552K), 0.0821116 secs] 10302433K->9534469K(13121984K), 0.0823159 secs] [Times: user=0.63 sys=0.00, real=0.08 secs]

10302433K – JVM_HeapUsedBeforeGC
9534469K - JVM_HeapUsedAfterGC
13121984K - JVM_HeapSize
0.0823159 secs - JVM_GCTimeTaken

Can you help?

javiergn · ‎02-26-2016

(?msi)\[GC\s+[\d\.]+:\s+\[ParNew:[^\]]+\]\s+(?<JVM_HeapUsedBeforeGC>[\d\.KM]+)->(?<JVM_HeapUsedAfterGC>[\d\.KM]+)\((?<JVM_HeapSize>[\d\.KM]+)\),\s+(?<JVM_GCTimeTaken>[\d\.]+ secs)\]\s+\[Times: user=(?<user>[\d\.]+)

See this: https://regex101.com/r/bO9iP8/1

vw5qb73 · ‎02-26-2016

Is it using rex command? i tried above in splunk search and got error

javiergn · ‎02-26-2016

Yeah, I only pasted the regular expression. You can use it with rex but the important bit is that you can rely on resources such as regex101 to test this out very easily.

rex field=_raw "(?msi)\[GC\s+[\d\.]+:\s+\[ParNew:[^\]]+\]\s+(?<JVM_HeapUsedBeforeGC>[\d\.KM]+)->(?<JVM_HeapUsedAfterGC>[\d\.KM]+)\((?<JVM_HeapSize>[\d\.KM]+)\),\s+(?<JVM_GCTimeTaken>[\d\.]+ secs)\]\s+\[Times: user=(?<user>[\d\.]+)"

fdi01 · ‎02-23-2016

try like :

sourcetype=gc_log_bizx FULL "user>30*"

vw5qb73 · ‎02-23-2016

No, it didnt worked. Pls note events can be like

[Times: user=11.76 sys=0.40, real=8.09 secs]
[Times: user=30.76 sys=0.40, real=8.09 secs]

splunk SPL command to filter events

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!