Given the following log output (timestamps denote the start of a new line), I am trying to graph the **bolded** values, by the respective strings "PS MarkSweep" and "PS Scavenge". However, note that the field does not appear on the instances of PS Marksweep, specifically because the integer immediately after "PS MarkSweep" is 0. Is there a search I can create that graphs that extracted field iff the integer after the string is nonzero?
So far I have | rex "(?i)^(?:[^\t]*\t){4}(?P<GC_NAME>[^\t]+)\s+(?P<CollectionCount>\d+)" |
to extract the string as GC_NAME and the int as CollectionCount. Thanks!
162 Mon May 19 15:08:30 EDT 2014 279466791 3 PS MarkSweep 0 0.0 0 0.0 523763712 524288000 523763712 183944776
162 Mon May 19 15:08:30 EDT 2014 9753597 4 PS MarkSweep 0 0.0 0 0.0 532152320 536870912 532152320 42549976
162 Mon May 19 15:08:30 EDT 2014 279466762 1 PS Scavenge 128 0.0 644 0.0 272758272 **5.0** 524288000 524288000 524288000 97753248
162 Mon May 19 15:08:30 EDT 2014 279466789 2 PS Scavenge 122 0.0 719 0.0 278900975 **4.0** 522715136 524288000 522715136 36896016
You could do this
yoursearchhere
| rex "(?i)^(?:[^\t]*\t){4}(?P<GC_NAME>[^\t]+)\s+(?P<CollectionCount>\d+)"
| where CollectionCount > 0
| chart count by GC_NAME
where you could change the count
statistic to whatever you are trying to chart
You could do this
yoursearchhere
| rex "(?i)^(?:[^\t]*\t){4}(?P<GC_NAME>[^\t]+)\s+(?P<CollectionCount>\d+)"
| where CollectionCount > 0
| chart count by GC_NAME
where you could change the count
statistic to whatever you are trying to chart