Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help in parsing the CPU info with REX

zacksoft
Contributor
‎02-19-2020 06:56 AM

I have been dumped with events what appears to be memory info.

memTotalMB   memFreeMB   memUsedMB  memFreePct  memUsedPct   pgPageOut  swapUsedPct   pgSwapOut   cSwitches  interrupts       forks   processes     threads  loadAvg1mi  waitThreads    interrupts_PS    pgPageIn_PS    pgPageOut_PS
     92101       66926        7175        77.6        21.4  3497702952          3.6      909526   998772788  4232481396    16909785         302        1012        4.07        0.00       7876.48        341.04         41.79

I am supposed to display it in a tabular format like memTotalMB, memFreeMB etc... as the headers and 9201 , 66926 etc.. as their values . Could anyone help me with the query please ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mydog8it
Builder
‎02-19-2020 09:26 AM

Give this a try:

| makeresults
| eval _raw="memTotalMB   memFreeMB   memUsedMB  memFreePct  memUsedPct   pgPageOut  swapUsedPct   pgSwapOut   cSwitches  interrupts       forks   processes     threads  loadAvg1mi  waitThreads    interrupts_PS    pgPageIn_PS    pgPageOut_PS
      92101       66926        7175        77.6        21.4  3497702952          3.6      909526   998772788  4232481396    16909785         302        1012        4.07        0.00       7876.48        341.04         41.79" 
| rex "[\s](?P<memTotalMB>\d+\.?\d+)\s+(?P<memFreeMB>\d+\.?\d+)\s+(?P<memUsedMB>\d+\.?\d+)\s+(?P<memFreePct>\d+\.?\d+)\s+(?P<memUsedPct>\d+\.?\d+)\s+(?P<pgPageOut>\d+\.?\d+)\s+(?P<swapUsedPct>\d+\.?\d+)\s+(?P<pgSwapOut>\d+\.?\d+)\s+(?P<cSwitches>\d+\.?\d+)\s+(?P<interrupts>\d+\.?\d+)\s+(?P<forks>\d+\.?\d+)\s+(?P<processes>\d+\.?\d+)\s+(?P<threads>\d+\.?\d+)\s+(?P<loadAvg1mi>\d+\.?\d+)\s+(?P<waitThreads>\d+\.?\d+)\s+(?P<interrupts_PS>\d+\.?\d+)\s+(?P<pgPageIn_PS>\d+\.?\d+)\s+(?P<pgPageOut_PS>\d+\.?\d+)" 
| table *

You only need the "| rex" portion of the search above just put your generating commands before it and visualization commands after it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mydog8it
Builder
‎02-19-2020 09:26 AM

Give this a try:

| makeresults
| eval _raw="memTotalMB   memFreeMB   memUsedMB  memFreePct  memUsedPct   pgPageOut  swapUsedPct   pgSwapOut   cSwitches  interrupts       forks   processes     threads  loadAvg1mi  waitThreads    interrupts_PS    pgPageIn_PS    pgPageOut_PS
      92101       66926        7175        77.6        21.4  3497702952          3.6      909526   998772788  4232481396    16909785         302        1012        4.07        0.00       7876.48        341.04         41.79" 
| rex "[\s](?P<memTotalMB>\d+\.?\d+)\s+(?P<memFreeMB>\d+\.?\d+)\s+(?P<memUsedMB>\d+\.?\d+)\s+(?P<memFreePct>\d+\.?\d+)\s+(?P<memUsedPct>\d+\.?\d+)\s+(?P<pgPageOut>\d+\.?\d+)\s+(?P<swapUsedPct>\d+\.?\d+)\s+(?P<pgSwapOut>\d+\.?\d+)\s+(?P<cSwitches>\d+\.?\d+)\s+(?P<interrupts>\d+\.?\d+)\s+(?P<forks>\d+\.?\d+)\s+(?P<processes>\d+\.?\d+)\s+(?P<threads>\d+\.?\d+)\s+(?P<loadAvg1mi>\d+\.?\d+)\s+(?P<waitThreads>\d+\.?\d+)\s+(?P<interrupts_PS>\d+\.?\d+)\s+(?P<pgPageIn_PS>\d+\.?\d+)\s+(?P<pgPageOut_PS>\d+\.?\d+)" 
| table *

You only need the "| rex" portion of the search above just put your generating commands before it and visualization commands after it.

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎02-19-2020 08:22 AM

Hi @zacksoft,
Try this query:

 index=<index_name> | rex field=raw "\s+[^\d]+1[^\d]+\s+(?<values>[\d\s.]+)" | makemv delim="  " values | eval memTotalMB=mvindex(values, 0),memFreeMB=mvindex(values, 1),memUsedMB=mvindex(values, 2),memFreePct=mvindex(values, 3),memUsedPct=mvindex(values, 4),pgPageOut=mvindex(values, 5),swapUsedPct=mvindex(values, 6),pgPageIn_PS=mvindex(values, 16),pgPageOut_PS=mvindex(values, 17)
0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎02-19-2020 07:24 AM

is it a single event containing both field names and values? Please post some more events. This looks like a tsv event, it should be parsed before indexing. TSV extractions can be done using props.conf in forwarders.

0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎02-19-2020 07:43 AM

Can't we use REX to parse it on user side. We have no option to do it (restricted by admin).

All the events look identical, just like the one I posted. Could you assist with some parsing to extract the info

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...