Have you thought about turning those extractions using rex into perm ones in a props/transforms file?
index=pqaestore source="/log/jboss_jmx_stats.log"
| dedup host
| rex field=_raw "(?memory=(?\d+))"
| rex field=_raw "(?httpthreads=(?\d+))"
| rex field=_raw "(?httpsthreads=(?\d+))"
| rex field=_raw "(?websessions=(?\d+))"
| rex field=_raw "(?ATGAdminDS=(?\d+))"
| rex field=_raw "(?ATGCatalogDSA=(?\d+))"
| rex field=_raw "(?ATGCatalogDSB=(?\d+))"
| rex field=_raw "(?ATGCSCAdminDS=(?\d+))"
| rex field=_raw "(?ATGCustDS=(?\d+))"
| rex field=_raw "(?ATGOrderDS=(?\d+))"
| rex field=_raw "(?ATGPriceDS=(?\d+))"
| rex field=_raw "(?ATGSearchDS=(?\d+))"
| rex field=_raw "(?DefaultDS=(?\d+))"
| rex field=_raw "(?EStoreAdmDS=(?\d+))"
| streamstats count as SNo
| eval AvgfreeMem=commands("* | stats avg(FreeMemory)")
| eval TotalfreeMem=commands("* | stats sum(FreeMemory)")
| table SNo host FreeMemory httpthreads httpsthreads websessions ATGAdminDS ATGCatalogDSA ATGCatalogDSB ATGCSCAdminDS ATGCustDS ATGOrderDS ATGPriceDS ATGSearchDS DefaultDS EStoreAdmDS AvgfreeMem TotalfreeMem
I believe something along those eval statements will work, though I haven't tried the "commands" statement myself, you should be able to work it out through trial and error 🙂 :
hxxps://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/CommonEvalFunctions#Multivalue_functions
hxxps://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/CommonStatsFunctions
... View more