Solved: Re: Help on splunk query

suvi6789 · ‎08-14-2023

Hi ,

Below is my raw data

{

timestamp: 2023-09-10

Version:1

Kubernetes.namespace: X

Kubernetes.node: Y

App_id:12345

Host: server.ms.com

S_sourcetype=x

Source=lkms

}

Now, If query as index=123 | table log --> I get the complete data in the log field but my aim to create a table with columns as ProcessCPUload, SystemCPUload, Usedheapmemory, Maxheap memory, commited_memory with their respective values.

Could you help on how could I achieve this please

bowesmana · ‎08-14-2023

Use this rex statement

| rex field=Log "ProcessCPUload=(?<ProcessCPUload>[\d\.]*).+SystemCPUload(?<SystemCPUload>[\d\.]*).+Usedheapmemory=(?<Usedheapmemory>[\d\.]*).+Maxheap memory=(?<MaxheapMemory>[\d\.]*).+commited_memory=(?<commited_memory>[\d\.]*)"

It will generate a bunch of field names and assumes the format of the data will be as shown - if the order of the fields changes in the log, this will not work

View solution in original post

bowesmana · ‎08-14-2023

Use this rex statement

| rex field=Log "ProcessCPUload=(?<ProcessCPUload>[\d\.]*).+SystemCPUload(?<SystemCPUload>[\d\.]*).+Usedheapmemory=(?<Usedheapmemory>[\d\.]*).+Maxheap memory=(?<MaxheapMemory>[\d\.]*).+commited_memory=(?<commited_memory>[\d\.]*)"

It will generate a bunch of field names and assumes the format of the data will be as shown - if the order of the fields changes in the log, this will not work

suvi6789 · ‎08-15-2023

Ho Bowesmana,
Many thanks for the update. This has fixed my issue and I was able to generate the report that I needed 😊.

bowesmana · ‎08-15-2023

If this solution helped, please mark it as a solution so others can benefit.

suvi6789 · ‎08-18-2023

Yes, The suggested solution has worked.

How to create a splunk query for the following problem?

other

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!