Splunk Search

how to fetch all the events which are gerater than number for GC in my log

rajpalyalla
Engager

Hi,

How can we fetch all the occurence of GC which is greater than 300.
we have some thing like below in logs. we want filter to show where GC greate than 300.

G1 Young Generation GC in 323ms
G1 Young Generation GC in 250ms
G1 Young Generation GC in 280ms
G1 Young Generation GC in 305ms

Tags (1)
0 Karma
1 Solution

adonio
Ultra Champion

posting another answer to demonstrate the use of rex command:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Rex
here is the code, run it in Splunk and see results

| makeresults count=1
| eval fake_raw_data = "G1 Young Generation GC in 323ms,
G1 Young Generation GC in 250ms,G1 Young Generation GC in 280ms,G1 Young Generation GC in 305ms,G1 Young Generation GC in 280ms,G1 Young Generation GC in 570ms,
G1 Young Generation GC in 430ms,G1 Young Generation GC in 320ms,G1 Young Generation GC in 580ms"
| makemv delim="," fake_raw_data
| mvexpand fake_raw_data
| rename COMMENT as "The code above generates fake data with no field extractions"
| rex field=fake_raw_data "in\s(?<GC>\d+)"
| table _time fake_raw_data GC
| where GC > 500

screenshot:
alt text

View solution in original post

rajpalyalla
Engager

Hey ,

can you give me an example by how to use this when we are using index like iam trying to query like this

index=* sourcetype=* GC (search for GC)

when i try to use this

makeresults count=1 | index=* sourcetype=* GC | mvexpand ms | convert rmunit(ms) | rename ms as GC | search GC > 300

0 Karma

adonio
Ultra Champion

posting another answer to demonstrate the use of rex command:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Rex
here is the code, run it in Splunk and see results

| makeresults count=1
| eval fake_raw_data = "G1 Young Generation GC in 323ms,
G1 Young Generation GC in 250ms,G1 Young Generation GC in 280ms,G1 Young Generation GC in 305ms,G1 Young Generation GC in 280ms,G1 Young Generation GC in 570ms,
G1 Young Generation GC in 430ms,G1 Young Generation GC in 320ms,G1 Young Generation GC in 580ms"
| makemv delim="," fake_raw_data
| mvexpand fake_raw_data
| rename COMMENT as "The code above generates fake data with no field extractions"
| rex field=fake_raw_data "in\s(?<GC>\d+)"
| table _time fake_raw_data GC
| where GC > 500

screenshot:
alt text

rajpalyalla
Engager

Hey ,

can you give me an example by how to use this when we are using index like iam trying to query like this

index=* sourcetype=* GC (search for GC)

when i try to use this

makeresults count=1 | index=* sourcetype=* GC | mvexpand ms | convert rmunit(ms) | rename ms as GC | search GC > 300

0 Karma

adonio
Ultra Champion

| makeresults just creates fake data.
try only:

  index = YourIndexNameHere sourcetype = YourSourcetypeNameHere 
    | rex field=_raw "in\s(?<GC>\d+)"
    | table _time  GC
    | where GC > 500
0 Karma

adonio
Ultra Champion

Hello there,
here is a sample code to run anywhere and check:

| makeresults count=1
| eval ms = "350ms,320ms,350ms,450ms,100ms, 250ms, 175ms,"
| makemv delim="," ms
| mvexpand ms
| rename COMMENT: the above creates fake data
| convert rmunit(ms)
| rename ms as GC
| search GC > 300

used here the convert rmunit to remove the "ms" extension and change the field from a string to a value, read more here:
http://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Convert
note: there are other ways to accomplish that like rex command for example
here's a screenshot:
alt text

0 Karma

rajpalyalla
Engager

Hey ,

My data is some thing like as mentioned
G1 Young Generation GC in 323ms
G1 Young Generation GC in 250ms
G1 Young Generation GC in 280ms
G1 Young Generation GC in 305ms

how would i trim "in" after GC and also "ms" is there a way we can pick the value just before "ms" in my example and set alert if we have the value like 500ms

0 Karma

adonio
Ultra Champion
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...