- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Collect values from syslog logging
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am new to splunk and have the following question. Below is snippet from a syslog logging. I would like to show the value behind (fordblks): in a chart based on _time.
[10-25 06:22:01,010] [freecwmpUTCd main 728] INF (statistics) MEM:1187840 | Total allocated space (uordblks): 997960
[10-25 06:22:01,010] [freecwmpUTCd main 728] INF (statistics) MEM:1187840 | Total free space (fordblks): 189880
I have tried rex and split and mvindex commands but I don't get it to work yet. Could anyone point me in the right direction?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@admin_fred
Below should give you the value for fordblks and then you can chart.
|rex field=_raw "fordblks\):\s+(?<MY_VALUE>\d+)"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The code below is working as expected:
my search |rex field=_raw "fordblks):\s+(?\d+)" | stats values(MY_VALUE) by _time my_process
note: my_process is an additional field so the statistics for 'fordblks' will be spitted up for multiple processes, which is very nice addition.
I only notice the search updates (live search) can take quite long. Maybe due to my (slow) Intel Celeron processor.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@admin_fred
Below should give you the value for fordblks and then you can chart.
|rex field=_raw "fordblks\):\s+(?<MY_VALUE>\d+)"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much!
The code below works fine.
|rex field=_raw "fordblks):\s+(?\d+)" | table _time MY_VALUE
How can I now present information in a chart instead of table?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@admin_fred,
If you have different values for time, then fields _time,MY_VALUE itself could be visualized in a graph.
Or stats values(MY_VALUE) by _time or chart max(MY_VALUE) by _time depends on your requirement.
What goes around comes around. If it helps, hit it with Karma 🙂
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
