I wrote an inline field extraction like this:
| rex "splunk[\s]+[\d]+[\s]+[\d]+[\s]+(?<CPUPCT>[\d]+\.[\d]+)[\s]+[\d]{2}:[\d]{2}:[\d]{2}[\s]+.+splunkd"
It works and I see my field CPUPCT in the "fields" pane on the left. If I click on it, I get the usual top 10 values and all looks good. But, if I add:
| timechart avg( CPUTPCT )
Then I get "No results found. Inspect ..."
Any idea why that happens?
Try this
index=os sourcetype=ps host=your_splunk_indexers* splunkd pctCPU | rex "splunk[\s]+[\d]+[\s]+[\d]+[\s]+(?<CPUPCT>[\d]+\.[\d]+)[\s]+[\d]{2}:[\d]{2}:[\d]{2}[\s]+.+splunkd" | convert num(CPUPCT) | timechart avg(CPUPCT)
Thanks for all your efforts MuS.
I just tried it with the simplest way you proposed, and, to my great surprise, it worked. The one thing I can tell you is that the simplest way didn't work originally. I remember that I had to filter for pctCPU so that I don't get to much data to sift through, and then strangely enough, our infrastructure team ran some updates on the hosts, and it stopped working altogether. So I went overboard with more complex approaches. But now, I just removed the "pctCPU" from the search, and it's back to working as it should have in the first place. So thank you so much!
for me this works fine on Splunk 6.0 Build 182037:
index=os sourcetype=ps splunkd | rex "splunk[\s]+[\d]+[\s]+[\d]+[\s]+(?<CPUPCT>[\d]+\.[\d]+)[\s]+[\d]{2}:[\d]{2}:[\d]{2}[\s]+.+splunkd" | timechart avg(CPUPCT)
btw, why are you extracting a existing field? You could use the pctCPU
field directly like this:
index=os sourcetype=ps splunkd | timechart avg(pctCPU)
Sorry, it doesn't work.
As a matter of fact I think I looked into that possibility. But I didn't expect it to work because when running the query without timechart, if I open the CPUPCT field in the left pane, it identifies it as "CPUPCT (numeric)".
Hi sansay,
don't put any spaces around your fieldname in the avg
command and check your fieldname: you're extracting CPUPCT
but you are using CPU
TPCT
in the timechart.
cheers, MuS
As I explained in the statement, the CPUPCT values appear in the fields pane, only, and ONLY IF THE SEARCH IS NOT FOLLOWED BY A TRANSFORMING COMMAND such as stats, chart, timechart etc.
This is the issue I am trying to resolve. Inspection of the search just tells me that the search with timechart found nothing, which is just impossible since it does bring back logs, and even extract the CPUPCT field without timechart.
Here is the complete query:
index=os sourcetype=ps host=your_splunk_indexers* splunkd pctCPU | rex "splunk[\s]+[\d]+[\s]+[\d]+[\s]+(?
Naturally you will have to replace "your_splunk_indexers" with the name you use in your splunk system.
The logs I get back:
USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY S ELAPSED COMMAND ARGS
root 1 18 0.0 00:01:32 0.0 756 10372 ? S 47-23:31:31 init [3]
etc.
either you really have no results or click the inspect link to see what is marked in yellow, this is the search which brings back nothing.
Hi MuS,
The T was a typo I made when I wrote my question here, and the spaces weren't in my experiments. So, sorry but your suggestion changes nothing. Did you try repeating this?