Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

rex fields from *nix netstat output

bearlmax
New Member
‎12-02-2013 11:10 AM

Hello,

I am trying to graph the "packet receive error" value over time for one of our servers. This is a value returned from the *nix netstat command. The search query I am using is:

index=os host=ourServerName source=netstat packet | rex "(?.*)\spacket receive errors" | timechart last(packet_errors)

No values are showing up in the results chart or in the packet_errors column of the results table. The Events List of the result set shows this:

... 336 lines omitted ...
81551449019 packets received

117791511 packets to unknown port received.
72260802 packet receive errors

47604771227 packets sent

... 12 lines omitted ...
3081684486 packets directly queued to recvmsg
1075841087 packets directly received from backlog
1579575698098 packets directly received from prequeue
811125365 packets header predicted

2953985762 packets header predicted and directly
... 2 lines omitted ...

I tried using the Extract Fields feature but Splunk is telling me that no regex could be learned when I tried submitting the Extract Fields form with an example value of "72260802". I've been trying a variety of different rex'es but none have worked. The value I am trying to extract in the Event List example above is "72260802".

Anyone have any tips or tricks to extracting this value?

Thanks,
Chris

Tags (1)
0 Karma
Reply

bearlmax
New Member
‎12-02-2013 12:48 PM

Thank you. You got me on the right track. Looks like there are two spaces in between the words in the phrase "packet receive errors". So this search works for me:

index=os host=myServerName source=netstat packet | rex "(?\d+)\s\spacket\s\sreceive\s\serrors" | timechart last(packet_errors)

Thanks again.

0 Karma
Reply

lukejadamec
Super Champion
‎12-02-2013 11:49 AM

Something like this should work, not much different from what you had:

rex "(?<packet_errors>\d+)\s+packet\s+receive\s+errors"
0 Karma
Reply

lukejadamec
Super Champion
‎12-02-2013 12:51 PM

yer welcome.

For one or more in regex you can use a plus sign.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...