Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to do timechart for a field which has varying values

anoopambli
Communicator
‎10-16-2016 06:38 AM

I am extracting a field using regular expression, it looks like below, These are top 5 processes which is consuming high memory

SiteScope.exe MemGB : 4886
perfmon.exe MemGB : 282
svchost.exe MemGB : 172
powershell.exe MemGB : 125
WmiApSrv.exe MemGB : 107
SiteScope.exe MemGB : 4885
perfmon.exe MemGB : 282
svchost.exe MemGB : 172
powershell.exe MemGB : 125
WmiApSrv.exe MemGB : 107
SiteScope.exe MemGB : 4884
perfmon.exe MemGB : 282
svchost.exe MemGB : 172
powershell.exe MemGB : 125

I am splitting the process name and memory usage again using regex. Once i do that there is be 5 process names but many numbers of memory usage values (during the selected time frame). I want to do a timechart for memory usage but it is not coming up correctly. When i do a table for Processname and memory, each event is coming up with 5 proc names and mem usage. How do i split them into separate events?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-16-2016 12:23 PM

You would need mvexpand command to split a multivalued field. Give this a try

index = tso_operations sourcetype = sitescope_monitorstate host = tsmonw24prdv "[TSMONW46PRDV] Top 10 Proc_Mem" | rex max_match=5 "Name\s+:\s+(?<Process>\S+\sMemGB\s:\s\d+)" | mvexpand Process | rex field=Process "^(?<Process>\w+).exe\sMemGB\s:\s(?<MemGB>\d+)" | timechart max(MemGB) by Process limit=0

View solution in original post

Reply
Solved! Jump to solution

sloshburch
Ultra Champion
‎10-17-2016 02:10 PM

Isn't this info also available from the top input in the Nix TA? I thought both Win and Nix TAs had nice definitions of data collections and sourcetypes for this type of info.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-16-2016 12:23 PM

You would need mvexpand command to split a multivalued field. Give this a try

index = tso_operations sourcetype = sitescope_monitorstate host = tsmonw24prdv "[TSMONW46PRDV] Top 10 Proc_Mem" | rex max_match=5 "Name\s+:\s+(?<Process>\S+\sMemGB\s:\s\d+)" | mvexpand Process | rex field=Process "^(?<Process>\w+).exe\sMemGB\s:\s(?<MemGB>\d+)" | timechart max(MemGB) by Process limit=0
Reply
Solved! Jump to solution

anoopambli
Communicator
‎10-16-2016 09:09 PM

That worked. Thank you very much.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-16-2016 10:52 AM

Is the sample data a single event or multiple events?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎10-16-2016 07:40 AM

Please share your query (including the regex)

0 Karma
Reply
Solved! Jump to solution

anoopambli
Communicator
‎10-16-2016 09:34 AM

index = tso_operations sourcetype = sitescope_monitorstate host = tsmonw24prdv "[TSMONW46PRDV] Top 10 Proc_Mem" | rex max_match=5 "Name\s+:\s+(?\S+\sMemGB\s:\s\d+)" | rex field=Process "(?^\w+).exe\sMemGB\s:\s(?\d+)"

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...