I have jboss logs that print a message size everytime jboss restarts. The message size is different everytime jboss starts and a message is displayed:
2010-09-28 02:52:04,992 INFO messageSize=4194304bytes
I have a field extraction for the messageSize.
What I want to do now is pull this kind of log and determine what the message size is based upon the last time jboss started since the log (in case this before 04:43)
2010-09-29 04:43:22,836 INFO Request information [requestid=364a05b7-2beb-4c68-8459-52e6fc4612b3]
I am able to pull one request and it's message size using the following splunk query: (Although I can't get the request id printed in the table)
sourcetype="server09282010" [search sourcetype="server09282010" 364a05b7-2beb-4c68-8459-52e6fc4612b3 | head 1 | rename _time as latest| fields latest] | WHERE MessageSizeBytes NOT NULL | head 1 | table _time MessageSizeBytes
What i really want is a table with requestid and Message size (based upon the time when jboss was started)
I hope this makes sense.. it is a complicated query.
I'm not 100% sure that I fully understand what you are trying to do here, one possibility is to use
transaction search command:
sourcetype="server09282010" | transaction startswith=(INFO messageSize) mvlist=requestid | search 364a05b7-2beb-4c68-8459-52e6fc4612b3
you may be able to open the search timeframe slightly, then use
stats to pull the values from across events, off the top of my head, I don't know if a specific "latest" value is inclusive of that exact timestamp, if it is then the
-1 isn't needed... (This may need some tweaking...)
sourcetype="server09282010" [search sourcetype="server09282010" 364a05b7-2beb-4c68-8459-52e6fc4612b3 | head 1 | eval latest(_time-1) | fields latest] | search MessageSizeBytes=* | head 1 | stats min(_time), values(requestid), list(MessageSizeBytes)
The where does work as expected.. My main problem is getting a listing of all request ids with the message size (I am able to get one using the query above) I am trying the transaction approach to group everytime jboss was started but I don't think it is going to work for me
I got a transaction working to split out into 5 transaction statements for the 5 times jboss restarted and I can see the requestids in chunks.. is there a way to break those out?
You're right about the where clause, that's a new one on me. I did look in the docs and I didn't see that syntax, but its possible I missed it. In any case, I updated my answer and removed that comment.