Splunk Search

Search split value with spaces

oferprtz
Path Finder

Hi,

Newbie here 🙂
trying to search value that actually split with spaces:

DEBUG PerformanceMonitor [(null)] - PerformanceMonitor resource: DataBase elapsed : 3250 details: DataBase:
DEBUG PerformanceMonitor [(null)] - PerformanceMonitor resource: DataBase elapsed : 11204 details: DataBase:

im trying to create a search or chart that will min and max the values of the elapsed.
since the values are seperated with spaces i cannot achieve that.

any ideas?

thanks,
ofer

0 Karma
1 Solution

ranjyotiprakash
Communicator

you can use the following command rex command to extract the elapsed field :

.... | rex field=_raw ".*\s+elapsed\s+:\s+(?<elapsed>\d+)\s"

and then use timechart, table, stats etc commands based upon your requirement.

View solution in original post

oferprtz
Path Finder

Thank you! found the issue, it was set as wrong sourcetype, now its working perfect!

thanks!

0 Karma

aholzer
Motivator

I'd have to take a look at your field extraction definition, but I'm guessing that you stored it for the wrong sourcetype, or you have a typo.

The other thing that could be happening is that your "elapsed" field occurs so rarely that it isn't one of your "interesting fields", since it doesn't appear in 50% or more of your events. In which case you would see it if you clicked on the "edit" button next to "selected fields" and look for "elapsed".

ranjyotiprakash
Communicator

you can use the following command rex command to extract the elapsed field :

.... | rex field=_raw ".*\s+elapsed\s+:\s+(?<elapsed>\d+)\s"

and then use timechart, table, stats etc commands based upon your requirement.

oferprtz
Path Finder

great stuff ranjyotiprakash! seems that the search works flawless, now ive got 2 methods of use!

thanks!

0 Karma

aholzer
Motivator

@oferprtz, what @ranjyotiprakash says here is also a good method. I simply prefer creating a field extraction, for a couple of reasons:
1) It helps to be consistent where you store fields of interest to you
2) you don't have to reuse the code in every search you want this field included in

But what @ranjyotiprakash says is a great method to confirm that the regex for the field extraction is in fact working.

oferprtz
Path Finder

Thanks for the quick response aholzer!!
one more question 🙂
ive created new field extraction and saved it, but when i do a search the field 'elapsed' wouldnt show in the fields.
its shows up only when i use this line:
PerformanceMonitor | rex "elapsed\s:\s(?[^\s]+)\s"
in the search line.
what im missing here?

thanks,
ofer.

0 Karma

aholzer
Motivator

the regex above is supposed to escape all the "s" after elapsed, but due to formatting it was lost when I pasted it in the comment. Here it is again:
"elapsed\s:\s(?[^\s]+)\s"

aholzer
Motivator

I'd suggest creating a field extraction for your values. That way you can later reference the field in your chart and / or search.

You'll need to use some regex to get the values properly. You can use something like this:
"elapsed\s:\s(?[^\s]+)\s"

Here's some documentation on field extraction:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsatsearchtime

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...