- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Spunk Search Query for Trimming and Grouping
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a CSV named Results2018.
It has fields Group, Server, Issue.
The field Issue has information about CPU and Memory utilization from different sources.
The CPU field is populated in CSV as “CPU bottleneck detected on Server A”, “CPU bottleneck detected on Server B” and so on. Likewise, for Memory utilization as “Memory utilization exceeded on Server A” …. Server B and so on.
What I am trying to do it to trim, match and group CPU bottleneck issue value in this field in the CSV and take a total count of that (Not on Server A or B).
For example, trim down the field value to only “CPU bottleneck detected” and do a total event count on that.
I trying to get the top 10 issues with the highest count here for all the issues in this file.
Thanks in -advance for assistance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mbasharat,
Try this,
your search|rex field=Issue "^(?P<message>\w+\s+\w+\s+\w+)"|stats count by message| sort count desc|head 10
Updated as per comments
|makeresults |eval Issue="CPU bottleneck detected on Server A"|eval Trimmed=substr(Issue,1,23)
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
|inputcsv Results2018.csv
| rex field=Issue mode=sed "s/ on Server .*$//g"
| top 10 Issue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mbasharat,
Try this,
your search|rex field=Issue "^(?P<message>\w+\s+\w+\s+\w+)"|stats count by message| sort count desc|head 10
Updated as per comments
|makeresults |eval Issue="CPU bottleneck detected on Server A"|eval Trimmed=substr(Issue,1,23)
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Renjith,
Is it possible to use "eval" instead? Less complicated vs regex. The above one is giving syntax error.
| rex field=Issue "^(?P\w+\s+\w+\s+\w+)"
What I really need is to just pick up the A CPU bottleneck, skip the rest and get a top 10 count.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mbasharat,
Rex works for me. I have tired like below
|makeresults |eval Issue="CPU bottleneck detected on Server A"|rex field=Issue "^(?P<message>\w+\s+\w+\s+\w+)"
However, you could extract the substring also
|makeresults |eval Issue="CPU bottleneck detected on Server A"|eval Trimmed=substr(Issue,1,23)
If you only need CPU bottleneck, you shall include this in your base search Issue="CPU*" which will filter out Memory related.
Hope this helps
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked!! THANK YOU
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mbasharat,
Glad to hear. Please accept answer/vote if you dont have further questions on this
What goes around comes around. If it helps, hit it with Karma 🙂
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
