What I did was to reassemble the two halves of the GC event using transactions.
Here's an example:
sourcetype=PIA_stdout ("GC" OR "secs")
| transaction endswith=secs keeporphans=true
| search date_hour>7 date_hour<18
| rex field=source "/webserv/(?<environment>[^/]+)/servers/"
| rex field=_raw "(?<starting_occupancy>[0-9]+)K->(?<ending_occupancy>[0-9]+)K\((?<heap_size>[0-9]+)K\), (?<pause_time>[0-9.]+) secs\]"
| stats max(pause_time) AS "Max Pause" BY environment
In this case, I didn't care about "after hours" GCs, but I couldn't filter on date_hour in the first search because the second half of the events (the part with the "secs]" at the end) didn't get date_hour fields. I had to assemble the two halves into a transaction before I could do a date_hour filter.
Also, when the GC event took less that apx 3 seconds, it didn't get split. So, I need keeporphans=true to keep the non-jacked-up GC events.
... View more
