Splunk Search

Interactive field extractor not selecting all named values

bcarnot
Path Finder

Below is my data. I have used very simple "Example values for a field" like, 23 or 1.27, or msec or threads.

The response back never properly defines the named objects. Goal is to be able to report on the values below over time.

DBWaitTime.avg: 1.273037542662116   msecs
DBWaitTime.completed:   293 ops
DBWaitTime.maxActive:   1   threads
DBWaitTime.maxTime: 23  msecs
DBWaitTime.minTime: 0   msecs
DBWaitTime.time:    373 msecs
JDBC_Connection_Url.value:  jdbc:oracle:thin:   
JDBC_Connection_Username.value:    PORTLET  
LogicalConnection.value:    null    
/JDBC/Driver/CONNECTION_5/Statement [type=JDBC_Statement]
Execute.active: 0   threads
Execute.avg:    1.3652482269503545  msecs
Execute.completed:  282 ops
Execute.maxActive:  1   threads
Execute.maxTime:    10  msecs
0 Karma

lguinn2
Legend

You might need to learn a little about regular expressions and edit the regex that the IFX generates. Splunk can only perform a brute-force analysis of the data to create a regular expression - since you have an understanding of your own data, you can probably do better.

If you don't know regular expressions, here is a pretty decent and short tutorial:
http://regexone.com/

Also, if you gave the community an idea of what you want to extract, we could help with the regular expressions. Your question really doesn't tell us much.

0 Karma

bcarnot
Path Finder

Thank you for your response.
a use case of the report for the data above would be "DBWaitTime.avg" over time.
My understanding is I should be able to extract this filed (and others) based on the query.

In the examples I have watched, the end user selects the changing variable (the " 1.273037542662116 ") for SPLUNK to "learn" the log.

For converstaion purposes, using this segment: DBWaitTime.avg: 1.273037542662116 msecs
Should I be creating a field extractions off of:
1) DBWaitTime.ave
2) 1.273037542662116

3) msecs

If I choose:

1 the response is "regex" can not be learned

2) the response highlights very good information, but the field names are now the found response times (numbers)

3) the response highlights very good information, but the field names are now the found response names (msec,threads,ops)

GOAL is to chart Database wait time (in msec) over time.

0 Karma

bcarnot
Path Finder

I am almost there, and really appreciate assistance with connecting the dots.
The generation of the Field extractor Regex is much more complex than that on the web.

Looking back at my data above, if I use an on-line tool with, the following I get all the digits required: (?:\d*.)?\d+

How do I add this to what is being generated by the extractor?: (?i).count:\t(?P[^\t]+)

My lack of understanding (among other things) the "?i" "\t" "P" "^\t"
My understand of the above is " period, count to the : any ? ( Optional Letter? field Name Starts with any digit?) one or more repetitions.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...