Splunk Search

Extracting the latest numeric value from the latest event to create a Gauge component in dashboard

akotwale
Engager

Hi Users, 

I have to create a gauge component to show the available memory in the system. As we know the gauge component take only single numeric value. So I need to extract the single numeric value from the latest event. My real time search event format is as follows - 

INFO  c.h.i.d.HealthMonitor - [100.64.29.192]:5701 [gfms] [3.12.9] processors=1, physical.memory.total=4.0G, physical.memory.free=3.4M, swap.space.total=0, swap.space.free=0, heap.memory.used=1.8G, heap.memory.free=1.3G, heap.memory.total=3.1G, heap.memory.max=4.0G, heap.memory.used/total=58.78%, heap.memory.used/max=45.22%, minor.gc.count=0, minor.gc.time=0ms, major.gc.count=0, major.gc.time=0ms, load.process=0.00%, load.system=72.25%, load.systemAverage=6.00,

In order to update the Gauge component, I need to extract the  value field of "physical.memory.free" property from the recent search event. Could you guys please let me know the Splunk query for it? 

Labels (1)
0 Karma
1 Solution

marysan
Communicator

| rex field=_raw "physical.memory.free="(?<physical_memory_free>.*)"M"

View solution in original post

Tags (1)

marysan
Communicator

| rex field=_raw "physical.memory.free="(?<physical_memory_free>.*)"M"

Tags (1)

akotwale
Engager

Thanks a lot @marysan. It solved my problem.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...