Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

splunk search

sriva6
New Member
‎12-27-2012 11:04 AM

Hi,

I have application logs which read something like this
Blah bla blah File Descriptor: 1234
Blah bla blah File Descriptor: 5678
.
.
.

I have added the log file data to my spunk server and now I want to use splunk to get a trend of the number of file descriptors in a chart. I do not want the number of times the string "file descriptors" appaears in the logs instead i want the value of the file descriptor. Please let me how can I do this?

Tags (1)
0 Karma
Reply

reed_kelly
Contributor
‎12-27-2012 12:01 PM

You can either parse the file descriptor in props.conf or use the rex command to parse it in the search. For example, if you are trying to get a time chart of the number of distinct file descriptors used in each hour, then you could use something like the following:

index=xxx ... |rex field=_raw "File\sDescriptor:\s+(?<file_descriptor>\d+)" |timechart span=1h dc(file_descriptor)

Of course, this has to be used in a chart of some sort.

0 Karma
Reply

lguinn2
Legend
‎12-27-2012 11:51 AM

Try this

yoursearchhere
| rex "File Descriptor:\s(?<fileDescriptor>\S+)"
| timechart count by fileDescriptor

Or

yoursearchhere
| rex "File Descriptor:\s(?<fileDescriptor>\S+)"
| chart count by fileDescriptor

The rex command creates a field called fileDescriptor that can be used in the commands that follow in the pipeline.

0 Karma
Reply

jangid
Builder
‎12-28-2012 06:42 AM

try

| chart values(fileDescriptor)

0 Karma
Reply

sriva6
New Member
‎12-28-2012 04:30 AM

hi,

I tried this but this is giving me a count of the number of times a particular Field Descriptor value appears in the logs but I want to get the list of all the field descriptor values in the logs and plot a graph/chart to show the trend of the descriptors over a time

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...