Splunk Search

Search split value with spaces

Path Finder

Hi,

Newbie here 🙂
trying to search value that actually split with spaces:

DEBUG PerformanceMonitor [(null)] - PerformanceMonitor resource: DataBase elapsed : 3250 details: DataBase:
DEBUG PerformanceMonitor [(null)] - PerformanceMonitor resource: DataBase elapsed : 11204 details: DataBase:

im trying to create a search or chart that will min and max the values of the elapsed.
since the values are seperated with spaces i cannot achieve that.

any ideas?

thanks,
ofer

0 Karma
1 Solution

Communicator

you can use the following command rex command to extract the elapsed field :

.... | rex field=_raw ".*\s+elapsed\s+:\s+(?<elapsed>\d+)\s"

and then use timechart, table, stats etc commands based upon your requirement.

View solution in original post

Path Finder

Thank you! found the issue, it was set as wrong sourcetype, now its working perfect!

thanks!

0 Karma

Motivator

I'd have to take a look at your field extraction definition, but I'm guessing that you stored it for the wrong sourcetype, or you have a typo.

The other thing that could be happening is that your "elapsed" field occurs so rarely that it isn't one of your "interesting fields", since it doesn't appear in 50% or more of your events. In which case you would see it if you clicked on the "edit" button next to "selected fields" and look for "elapsed".

Communicator

you can use the following command rex command to extract the elapsed field :

.... | rex field=_raw ".*\s+elapsed\s+:\s+(?<elapsed>\d+)\s"

and then use timechart, table, stats etc commands based upon your requirement.

View solution in original post

Path Finder

great stuff ranjyotiprakash! seems that the search works flawless, now ive got 2 methods of use!

thanks!

0 Karma

Motivator

@oferprtz, what @ranjyotiprakash says here is also a good method. I simply prefer creating a field extraction, for a couple of reasons:
1) It helps to be consistent where you store fields of interest to you
2) you don't have to reuse the code in every search you want this field included in

But what @ranjyotiprakash says is a great method to confirm that the regex for the field extraction is in fact working.

Path Finder

Thanks for the quick response aholzer!!
one more question 🙂
ive created new field extraction and saved it, but when i do a search the field 'elapsed' wouldnt show in the fields.
its shows up only when i use this line:
PerformanceMonitor | rex "elapsed\s:\s(?[^\s]+)\s"
in the search line.
what im missing here?

thanks,
ofer.

0 Karma

Motivator

the regex above is supposed to escape all the "s" after elapsed, but due to formatting it was lost when I pasted it in the comment. Here it is again:
"elapsed\s:\s(?[^\s]+)\s"

Motivator

I'd suggest creating a field extraction for your values. That way you can later reference the field in your chart and / or search.

You'll need to use some regex to get the values properly. You can use something like this:
"elapsed\s:\s(?[^\s]+)\s"

Here's some documentation on field extraction:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsatsearchtime