Solved: regex to extract from _raw

khhenderson · ‎06-06-2012

I am unfamiliar with regex. I need to separate every field in the _raw data from this line.

06/06 12:46:17 metrics ListeningThreads=3 IdleThreads=21 WaitingThreads=0 BusyThreads=0 TotalThreads=24 DelayedRequests=0 DroppedRequests=0 HandledRequests=28 HandledTime=543 DelayedTime=0 TotalMemory=4019584 FreeMemory=3549100

I know it can be done in the transform.conf and prop.conf files. I would just use a search command.

Would it be best to break it up using spaces? The order of the data should always be the same.
My final result would be a real time table or graph to monitor, BusyThreads, HandledRequests and FreeMemory.

Help for a newbie.

Starlette · ‎06-06-2012

did you already indexed this data? cause Splunks default behaviour is that it will extract the key=values pairs (due the = seperator)

View solution in original post

Starlette · ‎06-06-2012

did you already indexed this data? cause Splunks default behaviour is that it will extract the key=values pairs (due the = seperator)

khhenderson · ‎06-06-2012

I think I've figured it out. This is close to what I need: | search "BusyThreads*" "HandledRequest*"

johandk · ‎06-06-2012

Make sure you have field discovery turned on when searching?

Starlette · ‎06-06-2012

right, but you dont have the fieldextractions like Idletreads=21 etc?

khhenderson · ‎06-06-2012

Yes it's indexed.

regex to extract from _raw

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor