Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Need help in parsing the CPU info with REX
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
zacksoft
Contributor
02-19-2020
06:56 AM
I have been dumped with events what appears to be memory info.
memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS
92101 66926 7175 77.6 21.4 3497702952 3.6 909526 998772788 4232481396 16909785 302 1012 4.07 0.00 7876.48 341.04 41.79
I am supposed to display it in a tabular format like memTotalMB, memFreeMB etc... as the headers and 9201 , 66926 etc.. as their values . Could anyone help me with the query please ?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mydog8it
Builder
02-19-2020
09:26 AM
Give this a try:
| makeresults
| eval _raw="memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS
92101 66926 7175 77.6 21.4 3497702952 3.6 909526 998772788 4232481396 16909785 302 1012 4.07 0.00 7876.48 341.04 41.79"
| rex "[\s](?P<memTotalMB>\d+\.?\d+)\s+(?P<memFreeMB>\d+\.?\d+)\s+(?P<memUsedMB>\d+\.?\d+)\s+(?P<memFreePct>\d+\.?\d+)\s+(?P<memUsedPct>\d+\.?\d+)\s+(?P<pgPageOut>\d+\.?\d+)\s+(?P<swapUsedPct>\d+\.?\d+)\s+(?P<pgSwapOut>\d+\.?\d+)\s+(?P<cSwitches>\d+\.?\d+)\s+(?P<interrupts>\d+\.?\d+)\s+(?P<forks>\d+\.?\d+)\s+(?P<processes>\d+\.?\d+)\s+(?P<threads>\d+\.?\d+)\s+(?P<loadAvg1mi>\d+\.?\d+)\s+(?P<waitThreads>\d+\.?\d+)\s+(?P<interrupts_PS>\d+\.?\d+)\s+(?P<pgPageIn_PS>\d+\.?\d+)\s+(?P<pgPageOut_PS>\d+\.?\d+)"
| table *
You only need the "| rex" portion of the search above just put your generating commands before it and visualization commands after it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mydog8it
Builder
02-19-2020
09:26 AM
Give this a try:
| makeresults
| eval _raw="memTotalMB memFreeMB memUsedMB memFreePct memUsedPct pgPageOut swapUsedPct pgSwapOut cSwitches interrupts forks processes threads loadAvg1mi waitThreads interrupts_PS pgPageIn_PS pgPageOut_PS
92101 66926 7175 77.6 21.4 3497702952 3.6 909526 998772788 4232481396 16909785 302 1012 4.07 0.00 7876.48 341.04 41.79"
| rex "[\s](?P<memTotalMB>\d+\.?\d+)\s+(?P<memFreeMB>\d+\.?\d+)\s+(?P<memUsedMB>\d+\.?\d+)\s+(?P<memFreePct>\d+\.?\d+)\s+(?P<memUsedPct>\d+\.?\d+)\s+(?P<pgPageOut>\d+\.?\d+)\s+(?P<swapUsedPct>\d+\.?\d+)\s+(?P<pgSwapOut>\d+\.?\d+)\s+(?P<cSwitches>\d+\.?\d+)\s+(?P<interrupts>\d+\.?\d+)\s+(?P<forks>\d+\.?\d+)\s+(?P<processes>\d+\.?\d+)\s+(?P<threads>\d+\.?\d+)\s+(?P<loadAvg1mi>\d+\.?\d+)\s+(?P<waitThreads>\d+\.?\d+)\s+(?P<interrupts_PS>\d+\.?\d+)\s+(?P<pgPageIn_PS>\d+\.?\d+)\s+(?P<pgPageOut_PS>\d+\.?\d+)"
| table *
You only need the "| rex" portion of the search above just put your generating commands before it and visualization commands after it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
02-19-2020
08:22 AM
Hi @zacksoft,
Try this query:
index=<index_name> | rex field=raw "\s+[^\d]+1[^\d]+\s+(?<values>[\d\s.]+)" | makemv delim=" " values | eval memTotalMB=mvindex(values, 0),memFreeMB=mvindex(values, 1),memUsedMB=mvindex(values, 2),memFreePct=mvindex(values, 3),memUsedPct=mvindex(values, 4),pgPageOut=mvindex(values, 5),swapUsedPct=mvindex(values, 6),pgPageIn_PS=mvindex(values, 16),pgPageOut_PS=mvindex(values, 17)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
02-19-2020
07:24 AM
is it a single event containing both field names and values? Please post some more events. This looks like a tsv event, it should be parsed before indexing. TSV extractions can be done using props.conf in forwarders.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
zacksoft
Contributor
02-19-2020
07:43 AM
Can't we use REX to parse it on user side. We have no option to do it (restricted by admin).
All the events look identical, just like the one I posted. Could you assist with some parsing to extract the info
Get Updates on the Splunk Community!
Splunk Custom Visualizations App End of Life
The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...
Introducing Splunk Enterprise 9.2
WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
