Hi,
How can we fetch all the occurence of GC which is greater than 300.
we have some thing like below in logs. we want filter to show where GC greate than 300.
G1 Young Generation GC in 323ms
G1 Young Generation GC in 250ms
G1 Young Generation GC in 280ms
G1 Young Generation GC in 305ms
posting another answer to demonstrate the use of rex command:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Rex
here is the code, run it in Splunk and see results
| makeresults count=1
| eval fake_raw_data = "G1 Young Generation GC in 323ms,
G1 Young Generation GC in 250ms,G1 Young Generation GC in 280ms,G1 Young Generation GC in 305ms,G1 Young Generation GC in 280ms,G1 Young Generation GC in 570ms,
G1 Young Generation GC in 430ms,G1 Young Generation GC in 320ms,G1 Young Generation GC in 580ms"
| makemv delim="," fake_raw_data
| mvexpand fake_raw_data
| rename COMMENT as "The code above generates fake data with no field extractions"
| rex field=fake_raw_data "in\s(?<GC>\d+)"
| table _time fake_raw_data GC
| where GC > 500
screenshot:
Hey ,
can you give me an example by how to use this when we are using index like iam trying to query like this
index=* sourcetype=* GC (search for GC)
when i try to use this
makeresults count=1 | index=* sourcetype=* GC | mvexpand ms | convert rmunit(ms) | rename ms as GC | search GC > 300
posting another answer to demonstrate the use of rex command:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Rex
here is the code, run it in Splunk and see results
| makeresults count=1
| eval fake_raw_data = "G1 Young Generation GC in 323ms,
G1 Young Generation GC in 250ms,G1 Young Generation GC in 280ms,G1 Young Generation GC in 305ms,G1 Young Generation GC in 280ms,G1 Young Generation GC in 570ms,
G1 Young Generation GC in 430ms,G1 Young Generation GC in 320ms,G1 Young Generation GC in 580ms"
| makemv delim="," fake_raw_data
| mvexpand fake_raw_data
| rename COMMENT as "The code above generates fake data with no field extractions"
| rex field=fake_raw_data "in\s(?<GC>\d+)"
| table _time fake_raw_data GC
| where GC > 500
screenshot:
Hey ,
can you give me an example by how to use this when we are using index like iam trying to query like this
index=* sourcetype=* GC (search for GC)
when i try to use this
makeresults count=1 | index=* sourcetype=* GC | mvexpand ms | convert rmunit(ms) | rename ms as GC | search GC > 300
| makeresults just creates fake data.
try only:
index = YourIndexNameHere sourcetype = YourSourcetypeNameHere
| rex field=_raw "in\s(?<GC>\d+)"
| table _time GC
| where GC > 500
Hello there,
here is a sample code to run anywhere and check:
| makeresults count=1
| eval ms = "350ms,320ms,350ms,450ms,100ms, 250ms, 175ms,"
| makemv delim="," ms
| mvexpand ms
| rename COMMENT: the above creates fake data
| convert rmunit(ms)
| rename ms as GC
| search GC > 300
used here the convert rmunit to remove the "ms" extension and change the field from a string to a value, read more here:
http://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Convert
note: there are other ways to accomplish that like rex command for example
here's a screenshot:
Hey ,
My data is some thing like as mentioned
G1 Young Generation GC in 323ms
G1 Young Generation GC in 250ms
G1 Young Generation GC in 280ms
G1 Young Generation GC in 305ms
how would i trim "in" after GC and also "ms" is there a way we can pick the value just before "ms" in my example and set alert if we have the value like 500ms
maybe try and use the field extractor:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX
follow on this guide