Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help with regular expressions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with regular expressions
I have a syslog where I want to extract only these 3 events:
1)
Engine Busy Utilization CPU Busy I/O Busy Idle
Engine 0 1.1 % 0.1 % 98.8 %
Engine 1 71.3 % 2.0 % 26.7 %
Engine 2 0.0 % 0.0 % 99.9 %
Engine 3 0.4 % 0.7 % 98.9 %
Engine 4 3.6 % 0.9 % 95.5 %
Engine 5 0.2 % 0.7 % 99.1 %
Engine 6 0.4 % 0.5 % 99.1 %
Engine 7 1.1 % 0.1 % 98.9 %
Engine 8 0.9 % 0.3 % 98.8 %
Engine 9 0.1 % 0.0 % 99.9 %
Engine 10 0.0 % 0.0 % 100.0 %
Engine 11 0.0 % 0.1 % 99.9 %
Engine 12 0.1 % 0.1 % 99.8 %
Engine 13 0.1 % 0.4 % 99.5 %
Engine 14 39.7 % 4.1 % 56.2 %
Engine 15 0.2 % 0.0 % 99.8 %
Engine 16 0.0 % 0.0 % 100.0 %
Engine 17 0.8 % 0.0 % 99.2 %
Engine 18 0.0 % 0.0 % 100.0 %
Engine 19 0.0 % 0.0 % 100.0 %
Engine 20 0.1 % 0.0 % 99.9 %
Engine 21 3.9 % 1.7 % 94.4 %
Engine 22 2.2 % 0.9 % 96.9 %
Engine 23 0.7 % 0.0 % 99.3 %
Engine 24 0.8 % 0.9 % 98.3 %
Engine 25 0.1 % 0.0 % 99.8 %
Engine 26 0.0 % 0.0 % 100.0 %
Engine 27 39.7 % 5.2 % 55.2 %
Engine 28 4.3 % 0.4 % 95.3 %
Engine 29 1.1 % 0.1 % 98.9 %
Summary Total 172.8 % 19.2 % 2807.9 %
Average 5.8 % 0.6 % 93.6 %
2)
Cache: default data cache
per sec per xact count % of total
------------------------- ------------ ------------ ---------- ----------
Spinlock Contention n/a n/a n/a 0.2 %
3)
Cache Search Summary
Total Cache Hits 523491.0 708.5 157047286 99.9 %
All extra lines that do not belong to these events, I dont want the indexing splunk.
I understand that I must change the LINEA_BREAKER IN props.conf
I do not know how to build the regular expression. Someone could be so kind to help me assemble the expression?
thank you very much, greetings!
Javier.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Javier,
You question need clarifying. What data are you trying to keep?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello, thank you,
I need to extract from a log only 5% of the information. I do not know well how to do this
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
