Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

rex fields from *nix netstat output

bearlmax
New Member
‎12-02-2013 11:10 AM

Hello,

I am trying to graph the "packet receive error" value over time for one of our servers. This is a value returned from the *nix netstat command. The search query I am using is:

index=os host=ourServerName source=netstat packet | rex "(?.*)\spacket receive errors" | timechart last(packet_errors)

No values are showing up in the results chart or in the packet_errors column of the results table. The Events List of the result set shows this:

... 336 lines omitted ...
81551449019 packets received

117791511 packets to unknown port received.
72260802 packet receive errors

47604771227 packets sent

... 12 lines omitted ...
3081684486 packets directly queued to recvmsg
1075841087 packets directly received from backlog
1579575698098 packets directly received from prequeue
811125365 packets header predicted

2953985762 packets header predicted and directly
... 2 lines omitted ...

I tried using the Extract Fields feature but Splunk is telling me that no regex could be learned when I tried submitting the Extract Fields form with an example value of "72260802". I've been trying a variety of different rex'es but none have worked. The value I am trying to extract in the Event List example above is "72260802".

Anyone have any tips or tricks to extracting this value?

Thanks,
Chris

Tags (1)
0 Karma
Reply

bearlmax
New Member
‎12-02-2013 12:48 PM

Thank you. You got me on the right track. Looks like there are two spaces in between the words in the phrase "packet receive errors". So this search works for me:

index=os host=myServerName source=netstat packet | rex "(?\d+)\s\spacket\s\sreceive\s\serrors" | timechart last(packet_errors)

Thanks again.

0 Karma
Reply

lukejadamec
Super Champion
‎12-02-2013 11:49 AM

Something like this should work, not much different from what you had:

rex "(?<packet_errors>\d+)\s+packet\s+receive\s+errors"
0 Karma
Reply

lukejadamec
Super Champion
‎12-02-2013 12:51 PM

yer welcome.

For one or more in regex you can use a plus sign.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...