Parsing Text

kenosborn · ‎05-04-2012

I have the following percent values in indexed logfiles:

Loss=0.00%/0.00% (R/T)

How can I construct a search query that will only look at the percent values before the '/' (aka 'R' or 'Receive)?

Conversely how can I construct a search query that will only look at the percent values after the '/' (aka 'T' or 'Transmit')?

Ultimately I want to create min/max charts for these values...

Thank you!

-Ken

kristian_kolb · ‎05-04-2012

That should be fairly simple

sourcetype=your_sourcetype | rex field=Loss "(?<ReceiveLoss>[^%]+)%/(?<TransmitLoss>[^%]+)%"

This would give you two new fields to make charts from.

This type of field extraction has to be specified as part of the search query, but you could make the extraction more 'permanent' by instead adding the extraction to the props.conf stanza for your sourcetype;

[your_sourcetype]
EXTRACT-blah Loss=(?<RecieveLoss>[^%]+)%/(?<TransmitLoss>[^%]+)

Either way, once you have the fields extracted, you could create charts with timechart or chart;

your_search |timechart span=5m max(ReceiveLoss) AS MaxRLoss min(ReceiveLoss) AS MinRLoss max(TransmitLoss) AS MaxTLoss min(TransmitLoss) AS MinTLoss

Then you can save it to a dashboard as a line chart or whatever you like.

Hope this helps,

Kristian

kristian_kolb · ‎05-04-2012

more updates. /k

kristian_kolb · ‎05-04-2012

updated and fixed an error. /k

Parsing Text

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!