Other Usage
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a splunk query for the following problem?

suvi6789
Explorer
‎08-14-2023 02:59 PM

Hi , 

Below is my raw data 

{

timestamp: 2023-09-10

Version:1

Kubernetes.namespace: X

Kubernetes.node: Y

App_id:12345

Host: server.ms.com

Log:  21:46:32.268 [[Runtime].uber.471: [dasda-dasf-fasfs-import-1.0.0].vmstats.com] INFO net.das.com - ProcessCPUload=2.39| SystemCPUload=2.55|Initial memory=1.00| Usedheapmemory=0.70|Maxheap memory=0.95|commited_memory=0.95

S_sourcetype=x

Source=lkms

}

Now, If query as index=123 | table log --> I get the complete data in the log field but my aim to create a table with columns as  ProcessCPUload, SystemCPUload, Usedheapmemory, Maxheap memory, commited_memory with their respective values. 

Could you help on how could I achieve this please

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-14-2023 07:16 PM

Use this rex statement

| rex field=Log "ProcessCPUload=(?<ProcessCPUload>[\d\.]*).+SystemCPUload(?<SystemCPUload>[\d\.]*).+Usedheapmemory=(?<Usedheapmemory>[\d\.]*).+Maxheap memory=(?<MaxheapMemory>[\d\.]*).+commited_memory=(?<commited_memory>[\d\.]*)"

It will generate a bunch of field names and assumes the format of the data will be as shown - if the order of the fields changes in the log, this will not work

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-14-2023 07:16 PM

Use this rex statement

| rex field=Log "ProcessCPUload=(?<ProcessCPUload>[\d\.]*).+SystemCPUload(?<SystemCPUload>[\d\.]*).+Usedheapmemory=(?<Usedheapmemory>[\d\.]*).+Maxheap memory=(?<MaxheapMemory>[\d\.]*).+commited_memory=(?<commited_memory>[\d\.]*)"

It will generate a bunch of field names and assumes the format of the data will be as shown - if the order of the fields changes in the log, this will not work

Reply
Solved! Jump to solution

suvi6789
Explorer
‎08-15-2023 02:07 PM

Ho Bowesmana,
Many thanks for the update. This has fixed my issue and I was able to generate the report that I needed 😊.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎08-15-2023 04:11 PM

If this solution helped, please mark it as a solution so others can benefit.

0 Karma
Reply
Solved! Jump to solution

suvi6789
Explorer
‎08-18-2023 12:23 AM

Yes, The suggested solution  has worked.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out &gt;&gt; As our brave ...