splunk search

sriva6 · ‎12-27-2012

Hi,

I have application logs which read something like this
Blah bla blah File Descriptor: 1234
Blah bla blah File Descriptor: 5678
.
.
.

I have added the log file data to my spunk server and now I want to use splunk to get a trend of the number of file descriptors in a chart. I do not want the number of times the string "file descriptors" appaears in the logs instead i want the value of the file descriptor. Please let me how can I do this?

reed_kelly · ‎12-27-2012

You can either parse the file descriptor in props.conf or use the rex command to parse it in the search. For example, if you are trying to get a time chart of the number of distinct file descriptors used in each hour, then you could use something like the following:

index=xxx ... |rex field=_raw "File\sDescriptor:\s+(?<file_descriptor>\d+)" |timechart span=1h dc(file_descriptor)

Of course, this has to be used in a chart of some sort.

lguinn2 · ‎12-27-2012

Try this

yoursearchhere
| rex "File Descriptor:\s(?<fileDescriptor>\S+)"
| timechart count by fileDescriptor

Or

yoursearchhere
| rex "File Descriptor:\s(?<fileDescriptor>\S+)"
| chart count by fileDescriptor

The rex command creates a field called fileDescriptor that can be used in the commands that follow in the pipeline.

jangid · ‎12-28-2012

try

| chart values(fileDescriptor)

sriva6 · ‎12-28-2012

hi,

I tried this but this is giving me a count of the number of times a particular Field Descriptor value appears in the logs but I want to get the list of all the field descriptor values in the logs and plot a graph/chart to show the trend of the descriptors over a time

splunk search

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024