How to fetch different record Cache number from si...

aditsss · ‎08-26-2023

Hi Team,

I have below raw logs:

ReadFileImpl - Total number of records details processed for file: TRIM.UNB.D082423.T065617 is: 20516558 with total number of invalid record count: 0 - Data persisted to cache : 13169530

ReadFileImpl - Total number of records details processed for file: TRIM.BLD.D082423.T062015 is: 4043423 with total number of invalid record count: 0 - Data persisted to cache : 3388398

I wan to fetch the highlighted record counts along with file name.

My current query:

index="600000304_d_gridgain_idx*" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "Data persisted to cache "

gcusello · ‎08-27-2023

Hi @aditsss,

let me understand: you wnat the regexes to extract values from the shared logs to use in thesearch, is it correct?

If this is yur requirement, please try this regex:

| rex "Total number of records details processed for file: (?<file>[^ ]*)\s+is:\s+(?<total_records_count>\d+) with total number of invalid record count: (?<invalid_record_count>\d+) - Data persisted to cache : (?<cache>\d+)"

That you can check at https://regex101.com/r/uSU7Tv/1

I could be more sure if you could share your full logs and nor only a part of them.

Ciao.

Giuseppe

How to fetch different record Cache number from single log

chart

panel

timechart

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Splunk ITSI & Correlated Network Visibility

Are you a member of the Splunk Community?