Splunk Search

Interactive field extractor not selecting all named values

bcarnot
Path Finder

Below is my data. I have used very simple "Example values for a field" like, 23 or 1.27, or msec or threads.

The response back never properly defines the named objects. Goal is to be able to report on the values below over time.

DBWaitTime.avg: 1.273037542662116   msecs
DBWaitTime.completed:   293 ops
DBWaitTime.maxActive:   1   threads
DBWaitTime.maxTime: 23  msecs
DBWaitTime.minTime: 0   msecs
DBWaitTime.time:    373 msecs
JDBC_Connection_Url.value:  jdbc:oracle:thin:   
JDBC_Connection_Username.value:    PORTLET  
LogicalConnection.value:    null    
/JDBC/Driver/CONNECTION_5/Statement [type=JDBC_Statement]
Execute.active: 0   threads
Execute.avg:    1.3652482269503545  msecs
Execute.completed:  282 ops
Execute.maxActive:  1   threads
Execute.maxTime:    10  msecs
0 Karma

lguinn2
Legend

You might need to learn a little about regular expressions and edit the regex that the IFX generates. Splunk can only perform a brute-force analysis of the data to create a regular expression - since you have an understanding of your own data, you can probably do better.

If you don't know regular expressions, here is a pretty decent and short tutorial:
http://regexone.com/

Also, if you gave the community an idea of what you want to extract, we could help with the regular expressions. Your question really doesn't tell us much.

0 Karma

bcarnot
Path Finder

Thank you for your response.
a use case of the report for the data above would be "DBWaitTime.avg" over time.
My understanding is I should be able to extract this filed (and others) based on the query.

In the examples I have watched, the end user selects the changing variable (the " 1.273037542662116 ") for SPLUNK to "learn" the log.

For converstaion purposes, using this segment: DBWaitTime.avg: 1.273037542662116 msecs
Should I be creating a field extractions off of:
1) DBWaitTime.ave
2) 1.273037542662116

3) msecs

If I choose:

1 the response is "regex" can not be learned

2) the response highlights very good information, but the field names are now the found response times (numbers)

3) the response highlights very good information, but the field names are now the found response names (msec,threads,ops)

GOAL is to chart Database wait time (in msec) over time.

0 Karma

bcarnot
Path Finder

I am almost there, and really appreciate assistance with connecting the dots.
The generation of the Field extractor Regex is much more complex than that on the web.

Looking back at my data above, if I use an on-line tool with, the following I get all the digits required: (?:\d*.)?\d+

How do I add this to what is being generated by the extractor?: (?i).count:\t(?P[^\t]+)

My lack of understanding (among other things) the "?i" "\t" "P" "^\t"
My understand of the above is " period, count to the : any ? ( Optional Letter? field Name Starts with any digit?) one or more repetitions.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...