Solved: Extracting Fields from Varying Lengths of Unlabele...

ctallarico20 · ‎05-20-2014

Given the following log output (timestamps denote the start of a new line), I am trying to graph the **bolded** values, by the respective strings "PS MarkSweep" and "PS Scavenge". However, note that the field does not appear on the instances of PS Marksweep, specifically because the integer immediately after "PS MarkSweep" is 0. Is there a search I can create that graphs that extracted field iff the integer after the string is nonzero?

So far I have | rex "(?i)^(?:[^\t]*\t){4}(?P<GC_NAME>[^\t]+)\s+(?P<CollectionCount>\d+)" | to extract the string as GC_NAME and the int as CollectionCount. Thanks!

162 Mon May 19 15:08:30 EDT 2014 279466791 3 PS MarkSweep 0 0.0 0 0.0 523763712 524288000 523763712 183944776 162 Mon May 19 15:08:30 EDT 2014 9753597 4 PS MarkSweep 0 0.0 0 0.0 532152320 536870912 532152320 42549976 162 Mon May 19 15:08:30 EDT 2014 279466762 1 PS Scavenge 128 0.0 644 0.0 272758272 **5.0** 524288000 524288000 524288000 97753248 162 Mon May 19 15:08:30 EDT 2014 279466789 2 PS Scavenge 122 0.0 719 0.0 278900975 **4.0** 522715136 524288000 522715136 36896016

lguinn2 · ‎05-20-2014

You could do this

yoursearchhere
| rex "(?i)^(?:[^\t]*\t){4}(?P<GC_NAME>[^\t]+)\s+(?P<CollectionCount>\d+)"
| where CollectionCount > 0
| chart count by GC_NAME

where you could change the count statistic to whatever you are trying to chart

View solution in original post

lguinn2 · ‎05-20-2014

You could do this

yoursearchhere
| rex "(?i)^(?:[^\t]*\t){4}(?P<GC_NAME>[^\t]+)\s+(?P<CollectionCount>\d+)"
| where CollectionCount > 0
| chart count by GC_NAME

where you could change the count statistic to whatever you are trying to chart

Extracting Fields from Varying Lengths of Unlabeled Logs

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability