Archive
Highlighted

splunk SPL command to filter events

Explorer

Hi - I am indexing a JMX GC log in splunk. It has following entries

29800.962: [Full GC 29800.962: [CMS29805.756: [CMS-concurrent-mark: 8.059/8.092 secs] [Times: user=11.76 sys=0.40, real=8.09 secs]
host = APP01 source = /export/home/jboss/jboss-4.3.0/server/main/log/gcverbose.10645.log sourcetype = gclogabc

Currently i use sourcetype=gclogbizx FULL "user=30*" to filter events where user time is taking 30s

I need to refine this query further to get all events where user= value is more than 30s

Can any one help me?

0 Karma
Highlighted

Re: splunk SPL command to filter events

Motivator

try like :

sourcetype=gc_log_bizx FULL "user>30*"
0 Karma
Highlighted

Re: splunk SPL command to filter events

Explorer

No, it didnt worked. Pls note events can be like

[Times: user=11.76 sys=0.40, real=8.09 secs]
[Times: user=30.76 sys=0.40, real=8.09 secs]

0 Karma
Highlighted

Re: splunk SPL command to filter events

SplunkTrust
SplunkTrust

If Splunk is extracting those key value pairs automatically you can simply do:

sourcetype=gc_log_bizx FULL user>30

If not, then extract the user field first and then use it:

sourcetype=gc_log_bizx FULL
| rex field=_raw "user=(?<user>[\d\.]+)"
| where user > 30

View solution in original post

Highlighted

Re: splunk SPL command to filter events

Explorer

Thank You..this is what i was looking for..Do you know any splunk doc that talks about rules to extract field values using regex?

0 Karma
Highlighted

Re: splunk SPL command to filter events

Explorer

Yes. Thank You

0 Karma
Highlighted

Re: splunk SPL command to filter events

Explorer

Hi -

how do i extract these fields?

[GC 44625.964: [ParNew: 929756K->161792K(1071552K), 0.0821116 secs] 10302433K->9534469K(13121984K), 0.0823159 secs] [Times: user=0.63 sys=0.00, real=0.08 secs]

10302433K – JVMHeapUsedBeforeGC
9534469K - JVM
HeapUsedAfterGC
13121984K - JVMHeapSize
0.0823159 secs - JVM
GCTimeTaken

Can you help?

0 Karma
Highlighted

Re: splunk SPL command to filter events

SplunkTrust
SplunkTrust
(?msi)\[GC\s+[\d\.]+:\s+\[ParNew:[^\]]+\]\s+(?<JVM_HeapUsedBeforeGC>[\d\.KM]+)->(?<JVM_HeapUsedAfterGC>[\d\.KM]+)\((?<JVM_HeapSize>[\d\.KM]+)\),\s+(?<JVM_GCTimeTaken>[\d\.]+ secs)\]\s+\[Times: user=(?<user>[\d\.]+)

See this: https://regex101.com/r/bO9iP8/1

0 Karma
Highlighted

Re: splunk SPL command to filter events

Explorer

Is it using rex command? i tried above in splunk search and got error

0 Karma