Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Get values from the search result

priyansplunk
Engager
‎03-17-2015 04:41 AM

Suppose my search for the queue name details provide the below results,

    <qName><![CDATA[ESB.Sample.1.Action]]></qName>
    <pendingMsgCount>0</pendingMsgCount>
    <pendingMsgSize>0</pendingMsgSize>
    <receiverCount>4</receiverCount>
    <inTotalMsgs>0</inTotalMsgs>
    <outTotalMsgs>0</outTotalMsgs>
    <isStatic>true</isStatic>
    <prefetch>-1</prefetch>
    <isBridged>false</isBridged>
    <acl>APP0105(NPA AMX)=send; APP0088 (Webshpere)=send</acl>
</qInfo>

But I want to display the Pendingmessage count and receiver count and acl values in timechart for last 5 minutes in real time??

Can you please guide me?

Tags (2)
0 Karma
Reply

fdi01
Motivator
‎03-18-2015 06:06 AM

try like this :
index=your_index|rex " pendingMsgCount\>(?\d*)<\/pending"|rex " receiverCount\>(?\d*)<\/receiver" |table PendingmessageCount receiverCount

see my examlpe below:

index=""snnp" | rex "\d+\-\d+\-\d+ \d+\:\d+:\d+ (?<Host>[a-zA-Z0-9.-]+)"             
| rex max_match=0 "STRING\: \"(?<strings>.*?)\""| table Host strings

see picture to more understand:
alt text

Preview file
1 KB
0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎03-17-2015 01:01 PM

Oh no, there was a mistake in my earlier answer! Apparently, you can't put code in grave accents. I am sorry, I have now corrected it. I wrote a new answer anyway, as this is a little more elaborate.
For anything related to regular expressions, I recommend this site to you: https://regex101.com/
Together with the documentation at http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/rex
you can pretty easily learn how to use them (and you should).
Basically, what happens with a rex command is that it matches the text either literally or with certain criteria, and you can "capture" given areas so that you can later access them. For example, do the following search:
index=_internal
See how there is a field on the left saying "message"? Take a look at the values this field has. Assume you want what it says after "group=", so you do a simple search like

index=_internal | rex "group=(?<FieldForGroup>.*)," | table FieldForGroup

There should be a new table with possibly a few empty entries, but somewhere in there you'll find what you saw earlier when you looked at the field "message". What rex does here is look for a literal occurence of "group=". Then there's a capture group (indicated by the parentheses) which means that if what he finds next meets the criteria of this group will be the content of a field called "FieldForGroup" (the name here is what you put into the angle brackets). The criteria for this group are what follows the angle brackets, in this case it can be anything. After that capture group, there has to be a comma and that's it. Because these results are not used so far, in this example we just pipe them into a table.
Notice how we can now reference "FieldForGroup" as if it were a field that existed in the data.
All good so far? I would recommend you look at this regular expression (without the quotes) in https://regex101.com/ (you could paste this text into the test string box to see how it works: group=deploy-server, name=app_downloads, nStarted=0, nCompleted=0, volumeCompletedKB=0.0).

Or, if you want to go with your initial example, paste your result as the test string and check the updated regular expression: 

pendingMsgCount\>(?<PendingmessageCount>\d*)<\/pending

I hope this at least helps with the regular expression part. As for timechart, that should be pretty easy from here on, but ask if you need more help with that.
Cheers

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎03-17-2015 07:49 AM

You could regex the data you are interested in, e.g. append

pendingMsgCount\>(?<PendingmessageCount>\d*)<\/pending

to your search to receive a field namend PendingmessageCount, and do that for the other values as well. You could then timechart those values with your parameters.
You could also consider extracting those fields automatically if you frequently use these results: Settings->Fields->Field Extractions, that way you always have those fields ready when you perform a search on this data and can skip the entire rex command to head straight for the timechart.

0 Karma
Reply

priyansplunk
Engager
‎03-17-2015 11:20 AM

Thanks for the Reply!.Sorry I am new to Splunk...I cant understand Rex completely..

I tried in search as
Search:
ESB.Sample.1.Action source:Log.1| rex "pendingMsgCount>(?\d*)<\/pending"
Error:
Error in 'rex' command: Encountered the following error while compiling the regex 'pendingMsgCount>(?\d*)<\/pending': Regex: unrecognized character after (? or (?-

Basically i have set of Queues(kept in eventtypes) that needs to be monitored for earliest=-5m in a dash board for the Pending messages.

Please guide me the procedure from the Beginning.

Thanks,
Priyan

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...