I'm trying to extract a single field from a log and perform some statistical calculations using stats.
The log entries I have look like the following:
"Jan 22 16:43:48 10.164.93.7 10.164.93.7 local2 warn rpd[1106]: RPD_MPLS_PATH_BANDWIDTH_CHANGE: MPLS path (lsp B.R2.CHI-1) bandwidth changed, path bandwidth 81659056 bps","2013-01-22T11:43:48.000-0500",,16,22,43,january,48,tuesday,2013,local,"nix-all-logs",local2,"log.itgh.net",,"syslog_prod",1,22,"C-NET","10.164.93.7","10.164.93.7","R1.BB-FO.BRN1",Jan,"16:43:48","RPD_MPLS_PATH_BANDWIDTH_CHANGE: MPLS path (lsp R1.CHI2-1) bandwidth changed, path bandwidth 81659056 bps",,"__::_..._...___[]:_:____(_-.-.-)__,____",warn,"/app/syslog/10.164.93.7/10.164.93.7.log","syslog_vrsn","splunk6",,16,7
The query I'm using is:
index=syslog_data bandwidth | extract pairdelim="bandwidth", kvdelim="bps", auto=f
does not extract the bandwidth number, in the above example, I just want to extract the number 81659056
I can user the IFX to extract the field, but then the extracted field looks like:
1 0.877193
5 RPD_MPLS_PATH_BANDWIDTH_CHANGE: MPLS path (lsp R6.NYC.LAX3-1) bandwidth changed, path bandwidth 75085360 bps
What is the best way to extract just the bandwidth from the entry?
Thanks in advance.
... View more