Splunk Search

How do i regex the numbers for the following hung thread log message...?

prakash007
Builder

Looking for a regex in 612,200(threadDuration) and 3(no.of.Threads) for the log message below...

WSVR0605W: Thread “WebContainer : 1” has been active for 612,000 milliseconds and may be hung. There are 3 threads in total in the server that may be hung.
Tags (2)
1 Solution

skoelpin
SplunkTrust
SplunkTrust

Here's a regex that will extract the number of ms

The field is called Time

... | rex (?P<Time>(?<=been\sactive\sfor\s)\d+\,\d+(?=\smilliseconds))

Here's the regex for number of threads which the field is called Threads

... | rex (?P<Threads>(?<=There\sare\s)\d)

View solution in original post

skoelpin
SplunkTrust
SplunkTrust

Here's a regex that will extract the number of ms

The field is called Time

... | rex (?P<Time>(?<=been\sactive\sfor\s)\d+\,\d+(?=\smilliseconds))

Here's the regex for number of threads which the field is called Threads

... | rex (?P<Threads>(?<=There\sare\s)\d)

richgalloway
SplunkTrust
SplunkTrust

This works on regex101.com with your sample event.

... | rex "for (?<threadDuration>[\d,]+).*?(?<threadCount>\d+) threads" | ...
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...