This widget could not be displayed.
This widget could not be displayed.
Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting values for table

reinharn
Explorer
‎07-03-2019 08:29 AM

I have events in my logs that look like 

{
     linesPerSec:    1694.67    
     message:    Status:    
     rowCount:   35600000   
     severity:   info
}

when i make a search like:

index="apps"  app="my-api" message="*Status:*" | table  _time,  linesPerSec, rowCount

This is what my table ends up looking like
This is what my table ends up looking like

How do I get the number value away from the key for both linesPerSec and rowCount? I want to see all instances. I tried using values(linesPerSec) but that seemed to aggregate only unique.

Thanks,

Nate

Preview file
57 KB
This widget could not be displayed.
0 Karma
This widget could not be displayed.
Reply
1 Solution
Solved! Jump to solution
Solution

rbechtold
Communicator
‎07-03-2019 10:30 AM

Hey Nate,

This simple extraction should do the trick. 

...BASE SEARCH...
 | rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)"

View solution in original post

This widget could not be displayed.
0 Karma
This widget could not be displayed.
This widget could not be displayed.
Reply
Solved! Jump to solution
Solution

rbechtold
Communicator
‎07-03-2019 10:30 AM

Hey Nate,

This simple extraction should do the trick. 

...BASE SEARCH...
 | rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)"
This widget could not be displayed.
0 Karma
This widget could not be displayed.
This widget could not be displayed.
Reply
Solved! Jump to solution

reinharn
Explorer
‎07-03-2019 10:34 AM

Thanks for the response!

If I wanted to get those values into the table how would I go about that?

index="apps"  app="my-api" message="*\Status:*" | table linesPerSec, rowCount | rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)"

I still get the table values as the key/value.

This widget could not be displayed.
0 Karma
This widget could not be displayed.
This widget could not be displayed.
Reply
Solved! Jump to solution

rbechtold
Communicator
‎07-03-2019 10:50 AM

No problem!

Since the fields don't exist until after the extraction is complete, you'll need to move the table to be after your extraction in order to see them.

This should correct the issue:

index="apps"  app="my-api" message="*\Status:*" | rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)" | table _time linesPerSec, rowCount

Let me know if there are any problems!

This widget could not be displayed.
0 Karma
This widget could not be displayed.
This widget could not be displayed.
Reply
Solved! Jump to solution

reinharn
Explorer
‎07-03-2019 11:15 AM

Just tried that. Still doesn't seem to like to separate the values. Here is and image of what I am seeing.

This widget could not be displayed.
0 Karma
This widget could not be displayed.
This widget could not be displayed.
Reply
Solved! Jump to solution

reinharn
Explorer
‎07-03-2019 11:17 AM

https://imgur.com/a/2v3OcMa

This widget could not be displayed.
0 Karma
This widget could not be displayed.
This widget could not be displayed.
Reply
Solved! Jump to solution

rbechtold
Communicator
‎07-03-2019 11:39 AM

Let's try a different approach -- extracting directly from the fields themselves.

Could you give this a try for me? 

index="apps"  app="my-api" message="*\Status:*" 
| rex field=linesPerSec "(?<LPS>[\d\.]+)"
| rex field=rowCount "(?<RC>\d+)"
| table _time LPS RC

Since I'm not exactly sure if the problem is coming from the fields or the extraction, I'm just going to bypass both and create two new fields: LPS (linesPerSec) and RC (rowCount).

These should contain the correct values.

This widget could not be displayed.
0 Karma
This widget could not be displayed.
This widget could not be displayed.
Reply
Solved! Jump to solution

reinharn
Explorer
‎07-03-2019 11:41 AM

That worked! Thanks so much!

This widget could not be displayed.
This widget could not be displayed.
This widget could not be displayed.
Reply
Solved! Jump to solution

aohls
Contributor
‎07-03-2019 10:11 AM

You could use a regex to extract just the number.|rex field=_raw "linesPerSec (?<linesPerSec>\d+$)"|rex field=_raw "rowCount (?<rowCount>\d+$)"

EDIT: Cant get it to show but between the ? and \d would be the value name you want to use in the search surrounded by <>.

This would get you just the number values. If you are using the log a lot also you should look at setting up a field extraction; it would make it easier in the future.

This widget could not be displayed.
0 Karma
This widget could not be displayed.
This widget could not be displayed.
Reply
This widget could not be displayed.
This widget could not be displayed.
This widget could not be displayed.
This widget could not be displayed.
This widget could not be displayed.
This widget could not be displayed.
Get Updates on the Splunk Community!

Data Management Digest – December 2025

This widget could not be displayed.

Index This | What is broken 80% of the time by February?

This widget could not be displayed.

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

This widget could not be displayed.
This widget could not be displayed.