Splunk Search

Can you help me extract the time value and the thread count from the following data using regex?

shivam2411
New Member

00000887 ThreadMonitor W WSVR0606W: Thread "WebContainer : 24" (00000887) was previously reported to be hung but has completed. It was active for approximately 1386249 milliseconds. There is/are 0 thread(s) in total in the server that still may be hung.

Here i want to extract the time value and the thread count using regex

Tags (2)
0 Karma

damann
Communicator

I assume that 1386249 is the time value you are looking for and 0 ist your thread count you want to extract.
Just try the following regex:

base search | rex field=_raw "approximately (?<time_value>\d+) milliseconds.*is\/are (?<thread_count>\d+)"

If you need further extractions take a look at https://regex101.com. There you can try out your regular expression with instant feedback.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...