Splunk Search

How to edit my search to display Min, Max, Total, and Sum at the end of a table as separate rows?

Explorer

Hi

This is my current Splunk search:

index=pqaestore source="/log/jboss_jmx_stats.log" | dedup host | rex field=_raw "(?memory=(?\d+))" |  rex field=_raw "(?httpthreads=(?\d+))" |  rex field=_raw "(?httpsthreads=(?\d+))" | rex field=_raw "(?websessions=(?\d+))" | rex field=_raw "(?ATGAdminDS=(?\d+))" | rex field=_raw "(?ATGCatalogDSA=(?\d+))" | rex field=_raw "(?ATGCatalogDSB=(?\d+))" | rex field=_raw "(?ATGCSCAdminDS=(?\d+))" | rex field=_raw "(?ATGCustDS=(?\d+))" | rex field=_raw "(?ATGOrderDS=(?\d+))" | rex field=_raw "(?ATGPriceDS=(?\d+))" | rex field=_raw "(?ATGSearchDS=(?\d+))" | rex field=_raw "(?DefaultDS=(?\d+))" | rex field=_raw "(?EStoreAdmDS=(?\d+))"   | streamstats count as SNo| table SNo host FreeMemory httpthreads httpsthreads websessions ATGAdminDS ATGCatalogDSA ATGCatalogDSB ATGCSCAdminDS ATGCustDS ATGOrderDS ATGPriceDS ATGSearchDS DefaultDS EStoreAdmDS

Table output [Removed the host from output as it is sensitive]

FreeMemory httpthreads httpsthreads websessions ATGAdminDS ATGCatalogDSA

54 0 0 11 2 2 2 0 5 7 0 0

40 0 0 12 2 2 2 2 5 7 2 0

51 0 0 11 2 2 2 0 5 7 0 0

51 0 0 10 2 2 2 0 5 7 0 0

56 1 0 12 2 2 2 0 5 7 0 0

55 1 0 11 2 2 2 0 5 7 0 0

78 0 0 8 2 2 2 0 5 7 0 0

70 0 0 9 2 2 2 0 5 7 0 0

65 0 0 11 2 2 2 0 5 7 2 0

50 1 0 10 2 2 2 0 5 7 0 0

60 1 0 9 2 2 2 0 5 7 0 0

52 0 0 10 2 2 2 0 5 7 0 0

How to print Total, min, Max, Average at the end of this table as separate rows. Please advise.

0 Karma

Engager

Have you thought about turning those extractions using rex into perm ones in a props/transforms file?

index=pqaestore source="/log/jboss_jmx_stats.log" 
| dedup host 
| rex field=_raw "(?memory=(?\d+))" 
| rex field=_raw "(?httpthreads=(?\d+))" 
| rex field=_raw "(?httpsthreads=(?\d+))" 
| rex field=_raw "(?websessions=(?\d+))" 
| rex field=_raw "(?ATGAdminDS=(?\d+))" 
| rex field=_raw "(?ATGCatalogDSA=(?\d+))" 
| rex field=_raw "(?ATGCatalogDSB=(?\d+))" 
| rex field=_raw "(?ATGCSCAdminDS=(?\d+))" 
| rex field=_raw "(?ATGCustDS=(?\d+))" 
| rex field=_raw "(?ATGOrderDS=(?\d+))" 
| rex field=_raw "(?ATGPriceDS=(?\d+))" 
| rex field=_raw "(?ATGSearchDS=(?\d+))" 
| rex field=_raw "(?DefaultDS=(?\d+))" 
| rex field=_raw "(?EStoreAdmDS=(?\d+))"   
| streamstats count as SNo
| eval AvgfreeMem=commands("* | stats avg(FreeMemory)")
| eval TotalfreeMem=commands("* | stats sum(FreeMemory)")
| table SNo host FreeMemory httpthreads httpsthreads websessions ATGAdminDS ATGCatalogDSA ATGCatalogDSB ATGCSCAdminDS ATGCustDS ATGOrderDS ATGPriceDS ATGSearchDS DefaultDS EStoreAdmDS AvgfreeMem TotalfreeMem

I believe something along those eval statements will work, though I haven't tried the "commands" statement myself, you should be able to work it out through trial and error 🙂 :
hxxps://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/CommonEvalFunctions#Multivalue_functions
hxxps://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/CommonStatsFunctions

0 Karma