Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Chart a specific value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry... I'm completely new to this.
I have used punct (search feature) to select the type of record from my home automation log. Now I want chart the various values within the "C|22|23|16|23|OFF|ON|OFF|OFF|NORMAL" (example below). The first value is unit of temp, second is Temp Set point, third is the actual house temp, etc. I've read through the docs and tried the field extraction using interactive (IFX) to develop a rex.. but I am unsuccessful in creating fields. Is there another way?
2011-06-09 06:10:51.340 02:21:50.5169187 (017) I0 Broadcasted notification: ["ZWAVE:22", "C|22|23|16|23|OFF|ON|OFF|OFF|NORMAL"] for device [Thermostat]
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do your search and pipe into the "rex" command to extract fields directly within the search. This is a good way to test through the extraction.
sourcetype=my_sourcetype | rex "Broadcasted notification: \[\"ZWAVE:22\", \"(?<temp_unit>\w)\|(?<temp_setting>\d+)\|(?<temp>\d+)\|(?<other1>\d+)\|(?<other2>\d+)\|(?<switch1>\w+)\|(?<switch2>\w+)\|(?<switch3>\w+)\|(?<switch4>\w+)\|(?<state>\w+)\"\] for device \[(?<device_name>\w+)\]"
Once you're happy with everything, it's best to take that extraction and make it permanent. You can go to "Manager" -> "Fields" -> "Field Extractions" -> "Add New":
[my_sourcetype]
EXTRACT-thermodata = Broadcasted notification: \[\"ZWAVE:22\", \"(?<temp_unit>\w)\|(?<temp_setting>\d+)\|(?<temp>\d+)\|(?<other1>\d+)\|(?<other2>\d+)\|(?<switch1>\w+)\|(?<switch2>\w+)\|(?<switch3>\w+)\|(?<switch4>\w+)\|(?<state>\w+)\"\] for device \[(?<device_name>\w+)\]
Once you do that, you won't have to specify the nasty "rex" piece during your searches, and you can do stuff like:
sourcetype=my_sourcetype | timechart avg(temp)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you!!! This has enabled me to chart in many ways!
It's working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do your search and pipe into the "rex" command to extract fields directly within the search. This is a good way to test through the extraction.
sourcetype=my_sourcetype | rex "Broadcasted notification: \[\"ZWAVE:22\", \"(?<temp_unit>\w)\|(?<temp_setting>\d+)\|(?<temp>\d+)\|(?<other1>\d+)\|(?<other2>\d+)\|(?<switch1>\w+)\|(?<switch2>\w+)\|(?<switch3>\w+)\|(?<switch4>\w+)\|(?<state>\w+)\"\] for device \[(?<device_name>\w+)\]"
Once you're happy with everything, it's best to take that extraction and make it permanent. You can go to "Manager" -> "Fields" -> "Field Extractions" -> "Add New":
[my_sourcetype]
EXTRACT-thermodata = Broadcasted notification: \[\"ZWAVE:22\", \"(?<temp_unit>\w)\|(?<temp_setting>\d+)\|(?<temp>\d+)\|(?<other1>\d+)\|(?<other2>\d+)\|(?<switch1>\w+)\|(?<switch2>\w+)\|(?<switch3>\w+)\|(?<switch4>\w+)\|(?<state>\w+)\"\] for device \[(?<device_name>\w+)\]
Once you do that, you won't have to specify the nasty "rex" piece during your searches, and you can do stuff like:
sourcetype=my_sourcetype | timechart avg(temp)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
