Splunk Search

How to create a table based on certain fields from the Output Results?

dwin02
Explorer

Hi Splunk Support,

I'm trying to create a table based on certain fields from the Output Results:

Search String:

index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt"

Results :

    1 : dis ql (VIA.EVENT.ACTUTIME.UPD.FOR.ODBS) curdepth
AMQ8409: Display Queue details.
   QUEUE(VIA.EVENT.ACTUTIME.UPD.FOR.ODBS)
   TYPE(QLOCAL)                            CURDEPTH(0)
     2 : dis ql (VIA.EVENT.ACTUTIME.UPD.FOR.ODBS.BO) curdepth
AMQ8409: Display Queue details.
   QUEUE(VIA.EVENT.ACTUTIME.UPD.FOR.ODBS.BO)
   TYPE(QLOCAL)                            CURDEPTH(0)
     3 : dis ql (VIA.EVENT.ACTUTIME.UPD.FOR.OTP) curdepth
AMQ8409: Display Queue details.
   QUEUE(VIA.EVENT.ACTUTIME.UPD.FOR.OTP)   TYPE(QLOCAL)
   CURDEPTH(0)

Table to Create:

QUEUE NAME                          CURRENT_QUEUE_DEPTH
VIA.EVENT.ACTUTIME.UPD.FOR.ODBS     CURDEPTH(0)

Thanks,
Aldwin

Tags (2)
0 Karma

somesoni2
Revered Legend

Try something like this

index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
| rex "QUEUE\((?<QUEUE_NAME>[^\)]+)[\S\s]CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH

Update#1

Try this

 index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
  | rex "QUEUE\((?<QUEUE_NAME>[^\)]+)" | rex "CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH
0 Karma

dwin02
Explorer

Thank you for your suggestion but it's not working.

| rex "QUEUE\((?[^\)]+)[\S\s]CURDEPTH\((?\d+)" 

The following regex expression doesn't show the queue name and nor the Current Queue Depth.

I'm trying to find out maybe there's something wrong with the expression but your suggestion is very appreciated.

Thanks,
Aldwin

0 Karma

somesoni2
Revered Legend

Try this

 index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
 | rex "QUEUE\((?<QUEUE_NAME>[^\)]" | rex "CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH
0 Karma

dwin02
Explorer

Hi Somesoni2,

I'm now getting a result for the rex "CURDEPTH\((?\d+)" but still not working for rex "QUEUE\((?[^\)]".

Please see screenshot attach.

Thanks,
Aldwin

0 Karma

somesoni2
Revered Legend

Teere is an issue with the regex that I wrote. Fixed in the main answer (see Update#1).

0 Karma

dwin02
Explorer

You mean this one:

index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
 | rex "QUEUE\((?[^\)]+)[\S\s]CURDEPTH\((?\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH

I've tried this and it's not working.
Your second update worked but only for rex "CURDEPTH\((?\d+)", the rex "QUEUE\((?[^\)]" did not work.

0 Karma

somesoni2
Revered Legend

I mean this

 index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
       | rex "QUEUE\((?<QUEUE_NAME>[^\)]+)" | rex "CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH
0 Karma

dwin02
Explorer

Hi Somesoni2,

Thank you for all your help. It worked perfectly.
If you don't mind, using the same search:

index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" | rex max_match=8 "QUEUE\((?[^\)]+)" | rex max_match=8  "CURDEPTH\((?\d+)"

I just want to show where the value of CURDEPTH is more than let's say 100, I've tried looking at some solutions but can't seem to find the right solution.

Thanks,
Aldwin

0 Karma

somesoni2
Revered Legend

Just add the filter condition like this at the end of the search

index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
        | rex "QUEUE\((?<QUEUE_NAME>[^\)]+)" | rex "CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH | where CURRENT_QUEUE_DEPTH > 100
0 Karma

dwin02
Explorer

Hi Somesoni,
I've tried that already but it did not work. Even if I change it to where CURRENT_QUEUE_DEPTH > 1 since I only have 4 as the highest current depth.

Thanks,
Aldwin

0 Karma

somesoni2
Revered Legend

Do you you've multiple queues in single events and want to sum all the queue depth in each event and compare it to100? Or do you want to sum queue depth of all events and compare with 100?

0 Karma

dwin02
Explorer

It would need to this one :

Do you you've multiple queues in single events and want to sum all the queue depth in each event and compare it to100?

0 Karma

marina_rovira
Contributor

Have you got fieldname for each of these fields?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...