Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I unable to extract event values using REGEX and FORMAT in transforms.conf and REPORT in props.conf?

ishangajera
Explorer
‎08-10-2015 05:42 AM

Hi

I have created a shell script (script input) which is attached. It gives me information about status of threads in Linux.

Sample output of the script is as below:

totThreads      runThreads      slpThreads
       433               2             431

Now I want extract fields from these events.

In transforms.conf: 

[fields_for_threads_sh]
REGEX = \s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)
FORMAT = totThreads::"$1" runThreads::"$2" slpThreads::"$3"

In props.conf:

[threads]
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT

REPORT-0kv_for_threads = fields_for_threads_sh
FIELDALIAS-system_threads_count_for_threads = totThreads as system_threads_count
FIELDALIAS-sleeping_threads_count_for_threads = slpThreads as wait_threads_count
FIELDALIAS-running_threads_count_for_threads = runThreads as running_threads_count

Now when all this is configured, my events are generated with all three values as 0.

totThreads  runThreads  slpThreads
         0           0           0

Please help where I am going wrong?

0 Karma
Reply

ishangajera
Explorer
‎08-18-2015 06:44 AM

Hi,

I am still not able to find the solution. Can anyone please help?

0 Karma
Reply

woodcock
Esteemed Legend
‎08-12-2015 06:27 AM

Since it is multiline, try this:

REGEX = (?m)\s*(\d+)\s+(\d+)\s+(\d+)
FORMAT = totThreads::$1 runThreads::$2 slpThreads::$3
Reply

ishangajera
Explorer
‎08-12-2015 09:50 PM

Hi,

It is still not working. I have another configuration for another field in the app.
That is also multiline event. But for that we are getting the data in events.

Details of that field are as below:

Ouput of shell script:

 [root@splunkitsi bin]$ ./vmstat.sh
    memTotalMB   memFreeMB   memUsedMB  memFreePct  memUsedPct   pgPageOut  swapUsedPct   pgSwapOut   cSwitches  interrupts       forks   processes     threads  loadAvg1mi
         12863       12122         741        94.2         5.8   338955619          0.9       12696  2302182698  3016592159    15420967         130         407        1.08

Content of Transforms.conf

#memTotalMB   memFreeMB   memUsedMB  memFreePct  memUsedPct   pgPageOut  swapUsedPct   pgSwapOut   cSwitches  interrupts       forks   processes     threads  loadAvg1mi
    #      8192        4153        4039        50.7        49.3     1585619          5.0           ?           ?           ?           ?          82         566        0.72
    [fields_for_vmstat_sh]
    REGEX = \s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)\s+([0-9.?]+)
    FORMAT = memTotalMB::"$1" memFreeMB::"$2" memUsedMB::"$3" memFreePct::"$4" memUsedPct::"$5" pgPageOut::"$6" swapUsedPct::"$7" pgSwapOut::"$8" cSwitches::"$9" interrupts::"$10" forks::"$11" processes::"$12" threads::"$13" loadAvg1mi::"$14"

Contents of Props.conf

[vmstat]
    LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
    TRUNCATE=1000000
    DATETIME_CONFIG = CURRENT
    REPORT-0kv_for_vmstat = fields_for_vmstat_sh,vmstat_linux,vmstat_osx
    FIELDALIAS-dest_for_vmstat = host as dest
    EVAL-mem = if(isnotnull(memFreeMB) AND isnotnull(memUsedMB),(memFreeMB*1048576)+(memUsedMB*1048576),null())
    EVAL-mem_free = if(isnotnull(memFreeMB),memFreeMB*1048576,null())
    EVAL-mem_used = if(isnotnull(memUsedMB),memUsedMB*1048576,null())
    FIELDALIAS-src_for_vmstat = host as src

Event output in Search query:
alt text

0 Karma
Reply

woodcock
Esteemed Legend
‎08-13-2015 11:17 AM

I am stumped.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-10-2015 10:30 AM

Try this:

REGEX = \s*(\d+)\s+(\d+)\s+(\d+)
FORMAT = totThreads::$1 runThreads::$2 slpThreads::$3
0 Karma
Reply

ishangajera
Explorer
‎08-10-2015 09:30 PM

Hi,

Tried changing REGEX and FORMAT as you specified. But still no change. The values are still 0.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-11-2015 07:10 AM

I don't understand. The configurations we are talking about have NOTHING to do with the data inside the raw events (they can never "case" anything to become "0"). What does this show?

... | table _raw totThreads runThreads slpThreads
0 Karma
Reply

ishangajera
Explorer
‎08-11-2015 09:38 PM

Hi
Please check the output as shown in image:

alt text

0 Karma
Reply

landen99
Motivator
‎09-11-2015 08:21 AM

Obviously he is extracting 0's because the raw data only has 0's. Everything is working as expected. The issue is in the raw data. Look into why your box is sending all 0's

Also, I am not seeing multi-line events. That should not be a consideration in this case.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...