Splunk Search

Extracting values for table

reinharn
Explorer

I have events in my logs that look like

{
     linesPerSec:    1694.67    
     message:    Status:    
     rowCount:   35600000   
     severity:   info
}   

when i make a search like:

index="apps"  app="my-api" message="*Status:*" | table  _time,  linesPerSec, rowCount

This is what my table ends up looking like
This is what my table ends up looking like

How do I get the number value away from the key for both linesPerSec and rowCount? I want to see all instances. I tried using values(linesPerSec) but that seemed to aggregate only unique.

Thanks,

Nate

0 Karma
1 Solution

rbechtold
Communicator

Hey Nate,

This simple extraction should do the trick.

...BASE SEARCH...
 | rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)"

View solution in original post

0 Karma

rbechtold
Communicator

Hey Nate,

This simple extraction should do the trick.

...BASE SEARCH...
 | rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)"
0 Karma

reinharn
Explorer

Thanks for the response!

If I wanted to get those values into the table how would I go about that?

index="apps"  app="my-api" message="*\Status:*" | table linesPerSec, rowCount | rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)"

I still get the table values as the key/value.

0 Karma

rbechtold
Communicator

No problem!

Since the fields don't exist until after the extraction is complete, you'll need to move the table to be after your extraction in order to see them.

This should correct the issue:

index="apps"  app="my-api" message="*\Status:*" | rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)" | table _time linesPerSec, rowCount 

Let me know if there are any problems!

0 Karma

reinharn
Explorer

Just tried that. Still doesn't seem to like to separate the values. Here is and image of what I am seeing.

0 Karma

reinharn
Explorer
0 Karma

rbechtold
Communicator

Let's try a different approach -- extracting directly from the fields themselves.

Could you give this a try for me?

index="apps"  app="my-api" message="*\Status:*" 
| rex field=linesPerSec "(?<LPS>[\d\.]+)"
| rex field=rowCount "(?<RC>\d+)"
| table _time LPS RC

Since I'm not exactly sure if the problem is coming from the fields or the extraction, I'm just going to bypass both and create two new fields: LPS (linesPerSec) and RC (rowCount).

These should contain the correct values.

0 Karma

reinharn
Explorer

That worked! Thanks so much!

aohls
Contributor

You could use a regex to extract just the number.|rex field=_raw "linesPerSec (?<linesPerSec>\d+$)"|rex field=_raw "rowCount (?<rowCount>\d+$)"

EDIT: Cant get it to show but between the ? and \d would be the value name you want to use in the search surrounded by <>.

This would get you just the number values. If you are using the log a lot also you should look at setting up a field extraction; it would make it easier in the future.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...