Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use mvexpand to create multiple events with different times?

bdruth
Path Finder
‎12-07-2016 10:23 AM

I have an event, from JVM garbage collection activity, and it is logged with a timestamp representing the beginning of the GC activity. It also logs a field indicating the time elapsed during the GC activity. Since the event provides me a value indicating state of the memory before/after the GC activity, I'd like to create two events (presumably w/ mvexpand) where the first event has a "starting" value tied to the event's original timestamp, and the second event has an "ending" value tied to the original timestamp + elapsed time.

The event looks like this:

2016-12-07T12:18:02.442-0600: 56139.087: [GC2016-12-07T12:18:02.442-0600: 56139.087: [ParNew: 5536635K->167110K(6051264K), 0.1446960 secs] 8439996K->3080936K(9420224K), 0.1449360 secs] [Times: user=0.48 sys=0.00, real=0.14 secs]

In this case, I'm primarily interested in the information contained in the [ParNew:...] piece of the event. So, I guess I want to transform this into two events

_time,heap_young_used
2016-12-07T12:18:02.442-0600,5536635
2016-12-07T12:18:02.586-0600,167110

I could throw up a few things I've tried, but I'm basically stumped here. Not feeling like I'm getting any closer to figuring this out. Or maybe it's not possible.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-07-2016 11:05 AM

Give this a shot

base search | rex field=x "ParNew:\s?(?<heap_start>\d+)\w\-\>(?<heap_end>\d+)\S+\s?(?<elapsed_time>\S+)" | eval end=_time+elapsed_time | eval events=_time.",".heap_start.";".end.",".heap_end | makemv events delim=";" | mvexpand events | rex field=events "(?<_time>[^,]+),(?<heap>.*)" | table _time heap

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-07-2016 11:05 AM

Give this a shot

base search | rex field=x "ParNew:\s?(?<heap_start>\d+)\w\-\>(?<heap_end>\d+)\S+\s?(?<elapsed_time>\S+)" | eval end=_time+elapsed_time | eval events=_time.",".heap_start.";".end.",".heap_end | makemv events delim=";" | mvexpand events | rex field=events "(?<_time>[^,]+),(?<heap>.*)" | table _time heap
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...