Splunk Search

How to extract value from end of line


I have below log format and I want to get value of getTaskHistoryList(in this case it is 33 but this may get changed).
Trace: 2012/05/10 19:32:39.047 01 t=9AF4F8 c=UNK key=P8 (0000000A) Description: Log Java Message Message: Time taken for getTaskHistoryList 33

How to extract only getTaskHistoryList value and create chart out of these values?

Tags (1)


Well, given the one example event, one might try

... | rex "getTaskHistoryList (?<field_name>\d+)$"

However, a more thorough regex might be:

... | rex "Message: Time take for (?<operation>[^\s]+) (?<time_taken>\d+)$"

These are not particularly complicated regular expressions. If you are not already familiar, I would recommend studying how regular expressions work in general - there is a good website, http://www.regular-expressions.info/, and O'Reilly has an excellent (if a little aged) paperback book on the subject, http://shop.oreilly.com/product/9780596528126.do

Also, you should study up on how Splunk uses regular expressions for field extraction. http://docs.splunk.com/Documentation/Splunk/4.3/Knowledge/Aboutfields is as good of a place as any to start.

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!