Below is my data. I have used very simple "Example values for a field" like, 23 or 1.27, or msec or threads.
DBWaitTime.avg: 1.273037542662116 msecs DBWaitTime.completed: 293 ops DBWaitTime.maxActive: 1 threads DBWaitTime.maxTime: 23 msecs DBWaitTime.minTime: 0 msecs DBWaitTime.time: 373 msecs JDBC_Connection_Url.value: jdbc:oracle:thin: JDBC_Connection_Username.value: PORTLET LogicalConnection.value: null /JDBC/Driver/CONNECTION_5/Statement [type=JDBC_Statement] Execute.active: 0 threads Execute.avg: 1.3652482269503545 msecs Execute.completed: 282 ops Execute.maxActive: 1 threads Execute.maxTime: 10 msecs
You might need to learn a little about regular expressions and edit the regex that the IFX generates. Splunk can only perform a brute-force analysis of the data to create a regular expression - since you have an understanding of your own data, you can probably do better.
If you don't know regular expressions, here is a pretty decent and short tutorial:
Also, if you gave the community an idea of what you want to extract, we could help with the regular expressions. Your question really doesn't tell us much.
Thank you for your response.
a use case of the report for the data above would be "DBWaitTime.avg" over time.
My understanding is I should be able to extract this filed (and others) based on the query.
For converstaion purposes, using this segment: DBWaitTime.avg: 1.273037542662116 msecs
Should I be creating a field extractions off of:
If I choose:
GOAL is to chart Database wait time (in msec) over time.
I am almost there, and really appreciate assistance with connecting the dots.
The generation of the Field extractor Regex is much more complex than that on the web.
Looking back at my data above, if I use an on-line tool with, the following I get all the digits required: (?:\d*.)?\d+
How do I add this to what is being generated by the extractor?: (?i).count:\t(?P[^\t]+)
My lack of understanding (among other things) the "?i" "\t" "P" "^\t"
My understand of the above is " period, count to the : any ? ( Optional Letter? field Name Starts with any digit?) one or more repetitions.