Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Interactive field extractor not selecting all ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interactive field extractor not selecting all named values
Below is my data. I have used very simple "Example values for a field" like, 23 or 1.27, or msec or threads.
The response back never properly defines the named objects. Goal is to be able to report on the values below over time.
DBWaitTime.avg: 1.273037542662116 msecs
DBWaitTime.completed: 293 ops
DBWaitTime.maxActive: 1 threads
DBWaitTime.maxTime: 23 msecs
DBWaitTime.minTime: 0 msecs
DBWaitTime.time: 373 msecs
JDBC_Connection_Url.value: jdbc:oracle:thin:
JDBC_Connection_Username.value: PORTLET
LogicalConnection.value: null
/JDBC/Driver/CONNECTION_5/Statement [type=JDBC_Statement]
Execute.active: 0 threads
Execute.avg: 1.3652482269503545 msecs
Execute.completed: 282 ops
Execute.maxActive: 1 threads
Execute.maxTime: 10 msecs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might need to learn a little about regular expressions and edit the regex that the IFX generates. Splunk can only perform a brute-force analysis of the data to create a regular expression - since you have an understanding of your own data, you can probably do better.
If you don't know regular expressions, here is a pretty decent and short tutorial:
http://regexone.com/
Also, if you gave the community an idea of what you want to extract, we could help with the regular expressions. Your question really doesn't tell us much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response.
a use case of the report for the data above would be "DBWaitTime.avg" over time.
My understanding is I should be able to extract this filed (and others) based on the query.
In the examples I have watched, the end user selects the changing variable (the " 1.273037542662116 ") for SPLUNK to "learn" the log.
For converstaion purposes, using this segment: DBWaitTime.avg: 1.273037542662116 msecs
Should I be creating a field extractions off of:
1) DBWaitTime.ave
2) 1.273037542662116
3) msecs
If I choose:
1 the response is "regex" can not be learned
2) the response highlights very good information, but the field names are now the found response times (numbers)
3) the response highlights very good information, but the field names are now the found response names (msec,threads,ops)
GOAL is to chart Database wait time (in msec) over time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am almost there, and really appreciate assistance with connecting the dots.
The generation of the Field extractor Regex is much more complex than that on the web.
Looking back at my data above, if I use an on-line tool with, the following I get all the digits required: (?:\d*.)?\d+
How do I add this to what is being generated by the extractor?: (?i).count:\t(?P[^\t]+)
My lack of understanding (among other things) the "?i" "\t" "P" "^\t"
My understand of the above is " period, count to the : any ? ( Optional Letter? field Name Starts with any digit?) one or more repetitions.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
