Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a table based on certain fields from the Output Results?

dwin02
Explorer
‎02-17-2016 06:46 AM

Hi Splunk Support,

I'm trying to create a table based on certain fields from the Output Results:

Search String: 

index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt"

Results : 

    1 : dis ql (VIA.EVENT.ACTUTIME.UPD.FOR.ODBS) curdepth
AMQ8409: Display Queue details.
   QUEUE(VIA.EVENT.ACTUTIME.UPD.FOR.ODBS)
   TYPE(QLOCAL)                            CURDEPTH(0)
     2 : dis ql (VIA.EVENT.ACTUTIME.UPD.FOR.ODBS.BO) curdepth
AMQ8409: Display Queue details.
   QUEUE(VIA.EVENT.ACTUTIME.UPD.FOR.ODBS.BO)
   TYPE(QLOCAL)                            CURDEPTH(0)
     3 : dis ql (VIA.EVENT.ACTUTIME.UPD.FOR.OTP) curdepth
AMQ8409: Display Queue details.
   QUEUE(VIA.EVENT.ACTUTIME.UPD.FOR.OTP)   TYPE(QLOCAL)
   CURDEPTH(0)

Table to Create: 

QUEUE NAME                          CURRENT_QUEUE_DEPTH
VIA.EVENT.ACTUTIME.UPD.FOR.ODBS     CURDEPTH(0)

Thanks,
Aldwin

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎02-17-2016 09:43 AM

Try something like this 

index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
| rex "QUEUE\((?<QUEUE_NAME>[^\)]+)[\S\s]CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH

Update#1

Try this

 index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
  | rex "QUEUE\((?<QUEUE_NAME>[^\)]+)" | rex "CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH
0 Karma
Reply

dwin02
Explorer
‎02-17-2016 11:08 AM

Thank you for your suggestion but it's not working. 

| rex "QUEUE\((?[^\)]+)[\S\s]CURDEPTH\((?\d+)"

The following regex expression doesn't show the queue name and nor the Current Queue Depth.

I'm trying to find out maybe there's something wrong with the expression but your suggestion is very appreciated.

Thanks,
Aldwin

0 Karma
Reply

somesoni2
Revered Legend
‎02-17-2016 11:21 AM

Try this 

 index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
 | rex "QUEUE\((?<QUEUE_NAME>[^\)]" | rex "CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH
0 Karma
Reply

dwin02
Explorer
‎02-17-2016 12:18 PM

Hi Somesoni2,

I'm now getting a result for the rex "CURDEPTH\((?\d+)" but still not working for rex "QUEUE\((?[^\)]".

Please see screenshot attach.

Thanks,
Aldwin

0 Karma
Reply

somesoni2
Revered Legend
‎02-17-2016 01:08 PM

Teere is an issue with the regex that I wrote. Fixed in the main answer (see Update#1).

0 Karma
Reply

dwin02
Explorer
‎02-17-2016 01:25 PM

You mean this one: 

index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
 | rex "QUEUE\((?[^\)]+)[\S\s]CURDEPTH\((?\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH

I've tried this and it's not working.
Your second update worked but only for rex "CURDEPTH\((?\d+)", the rex "QUEUE\((?[^\)]" did not work.

0 Karma
Reply

somesoni2
Revered Legend
‎02-17-2016 03:18 PM

I mean this

 index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
       | rex "QUEUE\((?<QUEUE_NAME>[^\)]+)" | rex "CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH
0 Karma
Reply

dwin02
Explorer
‎02-17-2016 06:53 PM

Hi Somesoni2,

Thank you for all your help. It worked perfectly.
If you don't mind, using the same search:

index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" | rex max_match=8 "QUEUE\((?[^\)]+)" | rex max_match=8  "CURDEPTH\((?\d+)"

I just want to show where the value of CURDEPTH is more than let's say 100, I've tried looking at some solutions but can't seem to find the right solution.

Thanks,
Aldwin

0 Karma
Reply

somesoni2
Revered Legend
‎02-17-2016 07:37 PM

Just add the filter condition like this at the end of the search 

index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" 
        | rex "QUEUE\((?<QUEUE_NAME>[^\)]+)" | rex "CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH | where CURRENT_QUEUE_DEPTH > 100
0 Karma
Reply

dwin02
Explorer
‎02-17-2016 08:06 PM

Hi Somesoni,
I've tried that already but it did not work. Even if I change it to where CURRENT_QUEUE_DEPTH > 1 since I only have 4 as the highest current depth.

Thanks,
Aldwin

0 Karma
Reply

somesoni2
Revered Legend
‎02-17-2016 08:52 PM

Do you you've multiple queues in single events and want to sum all the queue depth in each event and compare it to100? Or do you want to sum queue depth of all events and compare with 100?

0 Karma
Reply

dwin02
Explorer
‎02-17-2016 09:19 PM

It would need to this one :

Do you you've multiple queues in single events and want to sum all the queue depth in each event and compare it to100?

0 Karma
Reply

marina_rovira
Contributor
‎02-17-2016 08:24 AM

Have you got fieldname for each of these fields?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...