Splunk Search

Extracting Fields from Varying Lengths of Unlabeled Logs

Path Finder

Given the following log output (timestamps denote the start of a new line), I am trying to graph the **bolded** values, by the respective strings "PS MarkSweep" and "PS Scavenge". However, note that the field does not appear on the instances of PS Marksweep, specifically because the integer immediately after "PS MarkSweep" is 0. Is there a search I can create that graphs that extracted field iff the integer after the string is nonzero?

So far I have | rex "(?i)^(?:[^\t]*\t){4}(?P<GC_NAME>[^\t]+)\s+(?P<CollectionCount>\d+)" | to extract the string as GC_NAME and the int as CollectionCount. Thanks!

162 Mon May 19 15:08:30 EDT 2014 279466791 3 PS MarkSweep 0 0.0 0 0.0 523763712 524288000 523763712 183944776
162 Mon May 19 15:08:30 EDT 2014 9753597 4 PS MarkSweep 0 0.0 0 0.0 532152320 536870912 532152320 42549976
162 Mon May 19 15:08:30 EDT 2014 279466762 1 PS Scavenge 128 0.0 644 0.0 272758272 **5.0** 524288000 524288000 524288000 97753248
162 Mon May 19 15:08:30 EDT 2014 279466789 2 PS Scavenge 122 0.0 719 0.0 278900975 **4.0** 522715136 524288000 522715136 36896016

0 Karma
1 Solution

Legend

You could do this

yoursearchhere
| rex "(?i)^(?:[^\t]*\t){4}(?P<GC_NAME>[^\t]+)\s+(?P<CollectionCount>\d+)"
| where CollectionCount > 0
| chart count by GC_NAME

where you could change the count statistic to whatever you are trying to chart

View solution in original post

0 Karma

Legend

You could do this

yoursearchhere
| rex "(?i)^(?:[^\t]*\t){4}(?P<GC_NAME>[^\t]+)\s+(?P<CollectionCount>\d+)"
| where CollectionCount > 0
| chart count by GC_NAME

where you could change the count statistic to whatever you are trying to chart

View solution in original post

0 Karma