Splunk Search

Can you help me with a problem I'm having with the delta command for microseconds?

Mustang1964s
New Member

I have the following search.

index=ironstream IFCID=1 LUWID_LUNAME=DBTP
|           rex "QWSAPROC_0001\":\"(?P<proc_type>[0-9,A-Z]+)\""
|           rex "**QWSAPSRB_0001\":\"(?P<srb_tm>[0-9]+)\**""
|           rex "QWSAPSRB_ZIIP_0001\":\"(?P<ziip_srb_tm>[0-9]+)\""
|           rex "QWSAEJST_0001\":\"(?P<tcb_tm>[0-9]+)\""
|           **rex delta srb_tm as srb_tmd**
|           eval srb_tmd=srb_tmd/1000000
|           eval ziip_srb_tm=ziip_srb_tm/1000000
|           eval srb_tm2=srb_tm2/1000000
|           eval tcb_tm=tcb_tm/1000000
|           timechart span=5min **avg(srb_tmd)** as PREEMPT_SRB avg(ziip_srb_tm) as PREEMPT_IIP_SRB avg(srb_tm2) as SRB_TIME avg(tcb_tm) as TCB_TIME limit=25

I need to find the delta between the current and previous variable.

It seems that the delta command is not working no mater where I put it.

I don't think the average is the correct command in the timechart when I really need it to plot the delta between the first and second, third and second ect.... If I can get the first one working, then the rest would be a clone.

Here is what the input looks like.
The error I am getting is :

Error in 'rex' command: The regex 'delta' does not extract anything. It should specify at least one named group. Format: (?...).

     DATETIME:   2018-12-28 09:54:01.03 -0600   
 IFCID:  1  
 LUWID_LUNAME:   DBTP   
 MFSOURCETYPE:   SMF100 
 QWSAEJST_0001:  4188699248 
 QWSAEJST_0002:  998394598  
 QWSAEJST_0003:  1972500005 
 QWSAEJST_0004:  96287      
 QWSAPROC_0001:  MSTR   
 QWSAPROC_0002:  DBM1   
 QWSAPROC_0003:  DIST   
 QWSAPROC_0004:  IRLM   
 **QWSAPSRB_0001:**  4246164184 
 QWSAPSRB_0002:  4261556787 
 QWSAPSRB_0003:  31787112375    
 QWSAPSRB_0004:  0  
 QWSAPSRB_ZIIP_0001:     3708120592 
 QWSAPSRB_ZIIP_0002:     38980597677    
 QWSAPSRB_ZIIP_0003:     44522321198    
 QWSAPSRB_ZIIP_0004:     0  
 QWSASRBT_0001:  4962927087 
 QWSASRBT_0002:  4445020542 
 QWSASRBT_0003:  32350120018    
 QWSASRBT_0004:  1260340950 

Sincerely,

Steve B.

Tags (2)
0 Karma

woodcock
Esteemed Legend

Like this:

...
| rex mode=sed "s/:\s+/=/g s/[\r\n]+/, /g"
| kv
| rename QWSAPROC_0001 AS proc_type, QWSAPSRB_0001 AS srb_tm, QWSAPSRB_ZIIP_0001 AS ziip_srb_tm, QWSAEJST_0001 AS tcb_tm
| delta srb_tm AS srb_tmd
| eval srb_tmd=srb_tmd/1000000 
| eval ziip_srb_tm=ziip_srb_tm/1000000 
| eval srb_tm2=srb_tm2/1000000 
| eval tcb_tm=tcb_tm/1000000 
| timechart span=5min limit=25 avg(srb_tmd) as PREEMPT_SRB avg(ziip_srb_tm) as PREEMPT_IIP_SRB avg(srb_tm2) as SRB_TIME avg(tcb_tm) as TCB_TIME
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The correct delta syntax with a rename would be ... | delta srb_tm as srb_tmd | ...

The way you had it included a superfluous rex command between the pipe and the delta, resulting in the posted error.

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...