Solved: how to fetch all the events which are gerater than...

rajpalyalla · ‎06-22-2017

Hi,

How can we fetch all the occurence of GC which is greater than 300.
we have some thing like below in logs. we want filter to show where GC greate than 300.

G1 Young Generation GC in 323ms
G1 Young Generation GC in 250ms
G1 Young Generation GC in 280ms
G1 Young Generation GC in 305ms

adonio · ‎06-26-2017

posting another answer to demonstrate the use of rex command:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Rex
here is the code, run it in Splunk and see results

| makeresults count=1
| eval fake_raw_data = "G1 Young Generation GC in 323ms,
G1 Young Generation GC in 250ms,G1 Young Generation GC in 280ms,G1 Young Generation GC in 305ms,G1 Young Generation GC in 280ms,G1 Young Generation GC in 570ms,
G1 Young Generation GC in 430ms,G1 Young Generation GC in 320ms,G1 Young Generation GC in 580ms"
| makemv delim="," fake_raw_data
| mvexpand fake_raw_data
| rename COMMENT as "The code above generates fake data with no field extractions"
| rex field=fake_raw_data "in\s(?<GC>\d+)"
| table _time fake_raw_data GC
| where GC > 500

screenshot:

View solution in original post

rajpalyalla · ‎06-29-2017

Hey ,

can you give me an example by how to use this when we are using index like iam trying to query like this

index=* sourcetype=* GC (search for GC)

when i try to use this

adonio · ‎06-26-2017

posting another answer to demonstrate the use of rex command:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Rex
here is the code, run it in Splunk and see results

| makeresults count=1
| eval fake_raw_data = "G1 Young Generation GC in 323ms,
G1 Young Generation GC in 250ms,G1 Young Generation GC in 280ms,G1 Young Generation GC in 305ms,G1 Young Generation GC in 280ms,G1 Young Generation GC in 570ms,
G1 Young Generation GC in 430ms,G1 Young Generation GC in 320ms,G1 Young Generation GC in 580ms"
| makemv delim="," fake_raw_data
| mvexpand fake_raw_data
| rename COMMENT as "The code above generates fake data with no field extractions"
| rex field=fake_raw_data "in\s(?<GC>\d+)"
| table _time fake_raw_data GC
| where GC > 500

screenshot:

rajpalyalla · ‎06-29-2017

Hey ,

can you give me an example by how to use this when we are using index like iam trying to query like this

index=* sourcetype=* GC (search for GC)

when i try to use this

adonio · ‎06-29-2017

| makeresults just creates fake data.
try only:

  index = YourIndexNameHere sourcetype = YourSourcetypeNameHere 
    | rex field=_raw "in\s(?<GC>\d+)"
    | table _time  GC
    | where GC > 500

adonio · ‎06-22-2017

Hello there,
here is a sample code to run anywhere and check:

| makeresults count=1
| eval ms = "350ms,320ms,350ms,450ms,100ms, 250ms, 175ms,"
| makemv delim="," ms
| mvexpand ms
| rename COMMENT: the above creates fake data
| convert rmunit(ms)
| rename ms as GC
| search GC > 300

used here the convert rmunit to remove the "ms" extension and change the field from a string to a value, read more here:
http://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Convert
note: there are other ways to accomplish that like rex command for example
here's a screenshot:

rajpalyalla · ‎06-26-2017

Hey ,

My data is some thing like as mentioned
G1 Young Generation GC in 323ms
G1 Young Generation GC in 250ms
G1 Young Generation GC in 280ms
G1 Young Generation GC in 305ms

how would i trim "in" after GC and also "ms" is there a way we can pick the value just before "ms" in my example and set alert if we have the value like 500ms

adonio · ‎06-26-2017

maybe try and use the field extractor:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX
follow on this guide

how to fetch all the events which are gerater than number for GC in my log

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!