Hi Splunk Support,
I'm trying to create a table based on certain fields from the Output Results:
Search String:
index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt"
Results :
1 : dis ql (VIA.EVENT.ACTUTIME.UPD.FOR.ODBS) curdepth
AMQ8409: Display Queue details.
QUEUE(VIA.EVENT.ACTUTIME.UPD.FOR.ODBS)
TYPE(QLOCAL) CURDEPTH(0)
2 : dis ql (VIA.EVENT.ACTUTIME.UPD.FOR.ODBS.BO) curdepth
AMQ8409: Display Queue details.
QUEUE(VIA.EVENT.ACTUTIME.UPD.FOR.ODBS.BO)
TYPE(QLOCAL) CURDEPTH(0)
3 : dis ql (VIA.EVENT.ACTUTIME.UPD.FOR.OTP) curdepth
AMQ8409: Display Queue details.
QUEUE(VIA.EVENT.ACTUTIME.UPD.FOR.OTP) TYPE(QLOCAL)
CURDEPTH(0)
Table to Create:
QUEUE NAME CURRENT_QUEUE_DEPTH
VIA.EVENT.ACTUTIME.UPD.FOR.ODBS CURDEPTH(0)
Thanks,
Aldwin
Try something like this
index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH("
| rex "QUEUE\((?<QUEUE_NAME>[^\)]+)[\S\s]CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH
Update#1
Try this
index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH("
| rex "QUEUE\((?<QUEUE_NAME>[^\)]+)" | rex "CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH
Thank you for your suggestion but it's not working.
| rex "QUEUE\((?[^\)]+)[\S\s]CURDEPTH\((?\d+)"
The following regex expression doesn't show the queue name and nor the Current Queue Depth.
I'm trying to find out maybe there's something wrong with the expression but your suggestion is very appreciated.
Thanks,
Aldwin
Try this
index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH("
| rex "QUEUE\((?<QUEUE_NAME>[^\)]" | rex "CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH
Hi Somesoni2,
I'm now getting a result for the rex "CURDEPTH\((?\d+)"
but still not working for rex "QUEUE\((?[^\)]"
.
Please see screenshot attach.
Thanks,
Aldwin
Teere is an issue with the regex that I wrote. Fixed in the main answer (see Update#1).
You mean this one:
index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH("
| rex "QUEUE\((?[^\)]+)[\S\s]CURDEPTH\((?\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH
I've tried this and it's not working.
Your second update worked but only for rex "CURDEPTH\((?\d+)", the rex "QUEUE\((?[^\)]"
did not work.
I mean this
index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH("
| rex "QUEUE\((?<QUEUE_NAME>[^\)]+)" | rex "CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH
Hi Somesoni2,
Thank you for all your help. It worked perfectly.
If you don't mind, using the same search:
index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH(" | rex max_match=8 "QUEUE\((?[^\)]+)" | rex max_match=8 "CURDEPTH\((?\d+)"
I just want to show where the value of CURDEPTH is more than let's say 100, I've tried looking at some solutions but can't seem to find the right solution.
Thanks,
Aldwin
Just add the filter condition like this at the end of the search
index=iib_mq sourcetype=iib_mq_dev source="C:\\Temp\\mqoutput.txt" "QUEUE(" "CURDEPTH("
| rex "QUEUE\((?<QUEUE_NAME>[^\)]+)" | rex "CURDEPTH\((?<CURRENT_QUEUE_DEPTH>\d+)" | table QUEUE_NAME CURRENT_QUEUE_DEPTH | where CURRENT_QUEUE_DEPTH > 100
Hi Somesoni,
I've tried that already but it did not work. Even if I change it to where CURRENT_QUEUE_DEPTH > 1 since I only have 4 as the highest current depth.
Thanks,
Aldwin
Do you you've multiple queues in single events and want to sum all the queue depth in each event and compare it to100? Or do you want to sum queue depth of all events and compare with 100?
It would need to this one :
Do you you've multiple queues in single events and want to sum all the queue depth in each event and compare it to100?
Have you got fieldname for each of these fields?