Hi - I am indexing a JMX GC log in splunk. It has following entries
29800.962: [Full GC 29800.962: [CMS29805.756: [CMS-concurrent-mark: 8.059/8.092 secs] [Times: user=11.76 sys=0.40, real=8.09 secs]
host = APP01 source = /export/home/jboss/jboss-4.3.0/server/main/log/gcverbose.10645.log sourcetype = gc_log_abc
Currently i use sourcetype=gc_log_bizx FULL "user=30*" to filter events where user time is taking 30s
I need to refine this query further to get all events where user= value is more than 30s
Can any one help me?
If Splunk is extracting those key value pairs automatically you can simply do:
sourcetype=gc_log_bizx FULL user>30
If not, then extract the user field first and then use it:
sourcetype=gc_log_bizx FULL
| rex field=_raw "user=(?<user>[\d\.]+)"
| where user > 30
If Splunk is extracting those key value pairs automatically you can simply do:
sourcetype=gc_log_bizx FULL user>30
If not, then extract the user field first and then use it:
sourcetype=gc_log_bizx FULL
| rex field=_raw "user=(?<user>[\d\.]+)"
| where user > 30
Thank You..this is what i was looking for..Do you know any splunk doc that talks about rules to extract field values using regex?
Any of the following might help:
http://docs.splunk.com/Documentation/Splunk/6.3.3/Search/Extractfieldswithsearchcommands
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Createandmaintainsearch-timefieldextract...
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Managesearch-timefieldextractions
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/ExtractfieldsinteractivelywithIFX
Yes. Thank You
Hi -
how do i extract these fields?
[GC 44625.964: [ParNew: 929756K->161792K(1071552K), 0.0821116 secs] 10302433K->9534469K(13121984K), 0.0823159 secs] [Times: user=0.63 sys=0.00, real=0.08 secs]
10302433K – JVM_HeapUsedBeforeGC
9534469K - JVM_HeapUsedAfterGC
13121984K - JVM_HeapSize
0.0823159 secs - JVM_GCTimeTaken
Can you help?
(?msi)\[GC\s+[\d\.]+:\s+\[ParNew:[^\]]+\]\s+(?<JVM_HeapUsedBeforeGC>[\d\.KM]+)->(?<JVM_HeapUsedAfterGC>[\d\.KM]+)\((?<JVM_HeapSize>[\d\.KM]+)\),\s+(?<JVM_GCTimeTaken>[\d\.]+ secs)\]\s+\[Times: user=(?<user>[\d\.]+)
See this: https://regex101.com/r/bO9iP8/1
Is it using rex command? i tried above in splunk search and got error
Yeah, I only pasted the regular expression. You can use it with rex but the important bit is that you can rely on resources such as regex101 to test this out very easily.
rex field=_raw "(?msi)\[GC\s+[\d\.]+:\s+\[ParNew:[^\]]+\]\s+(?<JVM_HeapUsedBeforeGC>[\d\.KM]+)->(?<JVM_HeapUsedAfterGC>[\d\.KM]+)\((?<JVM_HeapSize>[\d\.KM]+)\),\s+(?<JVM_GCTimeTaken>[\d\.]+ secs)\]\s+\[Times: user=(?<user>[\d\.]+)"
try like :
sourcetype=gc_log_bizx FULL "user>30*"
No, it didnt worked. Pls note events can be like
[Times: user=11.76 sys=0.40, real=8.09 secs]
[Times: user=30.76 sys=0.40, real=8.09 secs]