Splunk Search

Interactive field extractor not selecting all named values

bcarnot
Path Finder

Below is my data. I have used very simple "Example values for a field" like, 23 or 1.27, or msec or threads.

The response back never properly defines the named objects. Goal is to be able to report on the values below over time.

DBWaitTime.avg: 1.273037542662116   msecs
DBWaitTime.completed:   293 ops
DBWaitTime.maxActive:   1   threads
DBWaitTime.maxTime: 23  msecs
DBWaitTime.minTime: 0   msecs
DBWaitTime.time:    373 msecs
JDBC_Connection_Url.value:  jdbc:oracle:thin:   
JDBC_Connection_Username.value:    PORTLET  
LogicalConnection.value:    null    
/JDBC/Driver/CONNECTION_5/Statement [type=JDBC_Statement]
Execute.active: 0   threads
Execute.avg:    1.3652482269503545  msecs
Execute.completed:  282 ops
Execute.maxActive:  1   threads
Execute.maxTime:    10  msecs
0 Karma

lguinn2
Legend

You might need to learn a little about regular expressions and edit the regex that the IFX generates. Splunk can only perform a brute-force analysis of the data to create a regular expression - since you have an understanding of your own data, you can probably do better.

If you don't know regular expressions, here is a pretty decent and short tutorial:
http://regexone.com/

Also, if you gave the community an idea of what you want to extract, we could help with the regular expressions. Your question really doesn't tell us much.

0 Karma

bcarnot
Path Finder

Thank you for your response.
a use case of the report for the data above would be "DBWaitTime.avg" over time.
My understanding is I should be able to extract this filed (and others) based on the query.

In the examples I have watched, the end user selects the changing variable (the " 1.273037542662116 ") for SPLUNK to "learn" the log.

For converstaion purposes, using this segment: DBWaitTime.avg: 1.273037542662116 msecs
Should I be creating a field extractions off of:
1) DBWaitTime.ave
2) 1.273037542662116

3) msecs

If I choose:

1 the response is "regex" can not be learned

2) the response highlights very good information, but the field names are now the found response times (numbers)

3) the response highlights very good information, but the field names are now the found response names (msec,threads,ops)

GOAL is to chart Database wait time (in msec) over time.

0 Karma

bcarnot
Path Finder

I am almost there, and really appreciate assistance with connecting the dots.
The generation of the Field extractor Regex is much more complex than that on the web.

Looking back at my data above, if I use an on-line tool with, the following I get all the digits required: (?:\d*.)?\d+

How do I add this to what is being generated by the extractor?: (?i).count:\t(?P[^\t]+)

My lack of understanding (among other things) the "?i" "\t" "P" "^\t"
My understand of the above is " period, count to the : any ? ( Optional Letter? field Name Starts with any digit?) one or more repetitions.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...