Splunk Search

How to extract value from end of line

lalbsah
Engager

I have below log format and I want to get value of getTaskHistoryList(in this case it is 33 but this may get changed).
Trace: 2012/05/10 19:32:39.047 01 t=9AF4F8 c=UNK key=P8 (0000000A) Description: Log Java Message Message: Time taken for getTaskHistoryList 33

How to extract only getTaskHistoryList value and create chart out of these values?

Tags (1)

dwaddle
SplunkTrust
SplunkTrust

Well, given the one example event, one might try

... | rex "getTaskHistoryList (?<field_name>\d+)$"

However, a more thorough regex might be:

... | rex "Message: Time take for (?<operation>[^\s]+) (?<time_taken>\d+)$"

These are not particularly complicated regular expressions. If you are not already familiar, I would recommend studying how regular expressions work in general - there is a good website, http://www.regular-expressions.info/, and O'Reilly has an excellent (if a little aged) paperback book on the subject, http://shop.oreilly.com/product/9780596528126.do

Also, you should study up on how Splunk uses regular expressions for field extraction. http://docs.splunk.com/Documentation/Splunk/4.3/Knowledge/Aboutfields is as good of a place as any to start.

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!