Solved: How to extract numeric data from a String name val...

buddhabelly · ‎08-29-2012

Hello, I am new to SPLUNK and have gone through the tutorials about searching for data and have managed to find some basic things I am looking for.

However this is my situation:

I have an App that writes to the Windows event log. It writes out some name value pairs that end up looking like this in the Windows Event log and in the SPLUNK events: Message=The VB Application identified by the event source logged this Application XXX: Thread ID: 5924 ,Logged: Process=XXXX ID={XXXXXX-696B-4136-9162-5DE0FA5D5F64} Time=3214. The bolded part is what the App writes to the event log.

I can find these specific events fine but now I would like to create an alert when the "Time" value is over a certain amount (performance monitoring). I've tried various combinations in my search ("time>3000"; time>3000; "time!=2***" etc) but each time I get 0 results.

Can I create a search out of a message string that includes numeric functions? Something like this Time>3000?

Thanks for any help!!

BB

jonuwz · ‎08-29-2012

Is Time listed as an extracted field in the field picker (in the sidebar) ?

If not, you'll have to extract it yourself ..

... | rex .*Time=(?P<Time>\d+) | ...

Then you can do ... | where Time > 3000

I'd be surprised if Time wasn't automatically extracted though.

Update .. (aka formatting ate my backslashes)

Sorry about that.

In regex stuff in brackets (....) is a capture group.
so given the string : "My name is 6"

the regex : "My (\w+) is (\d+)"

puts "name" in capture group 1, and "6" in capture group 2.

\w+ is 1 or more word characters

\d+ is 1 or more digits

you can name the capture groups too

the regex "My (?<attibute>\w+) is (?<value>\d+)"
is the same as "My (\w+) is (\d+)"

apart from you can refer to capture group 1 as "attribute" and capture group 2 as "value"

(?P means you can use the named capture group elsewhere in the rest of the regular expression. in your case its not needed, its just habit.

Here's an example :

* | head 1 | eval string="Process=XXXX ID={XXXXXX-696B-4136-9162-5DE0FA5D5F64} Time=3214" | rex field=string .*Time=(?P<Time>\d+) | table Time

View solution in original post

nithatech · ‎11-15-2013

Hi Jon,

I am trying to something like this:
I have this kind of info in my splunk logs
"BatchService BatchService;ProcessedTime:2896;RequestsProcessed:30"

would like to extract ProcessedTime and want to chart on ProcessedTime.
I tried this but does not give any results.

... batch ProcessedTime RequestsProcessed | rex .*ProcessedTime=(?P\d+) | where ProcessedTime > 10000

What am i doing wrong here?

nithatech · ‎11-15-2013

never mind got it. It would be : for my case (not 😃

nithatech · ‎11-15-2013

There is a backslash() before d+, disappeared after i clicked post

nithatech · ‎11-15-2013

Hi,

This is a very useful topic for what I am doing as well.
Can someone explain what is the .* for before the Time in ("... | rex .*Time=(?P\d+) | ...")

jonuwz · ‎08-29-2012

Is Time listed as an extracted field in the field picker (in the sidebar) ?

If not, you'll have to extract it yourself ..

... | rex .*Time=(?P<Time>\d+) | ...

Then you can do ... | where Time > 3000

I'd be surprised if Time wasn't automatically extracted though.

Update .. (aka formatting ate my backslashes)

Sorry about that.

In regex stuff in brackets (....) is a capture group.
so given the string : "My name is 6"

the regex : "My (\w+) is (\d+)"

puts "name" in capture group 1, and "6" in capture group 2.

\w+ is 1 or more word characters

\d+ is 1 or more digits

you can name the capture groups too

the regex "My (?<attibute>\w+) is (?<value>\d+)"
is the same as "My (\w+) is (\d+)"

apart from you can refer to capture group 1 as "attribute" and capture group 2 as "value"

(?P means you can use the named capture group elsewhere in the rest of the regular expression. in your case its not needed, its just habit.

Here's an example :

* | head 1 | eval string="Process=XXXX ID={XXXXXX-696B-4136-9162-5DE0FA5D5F64} Time=3214" | rex field=string .*Time=(?P<Time>\d+) | table Time

buddhabelly · ‎08-30-2012

Yes that did it! The missing backslash was the culprit

Thank you very much!!

This is my first foray into using SPLUNK and I can see how valuable it can be. This is all in test right now but I created a dashboard panel off of the query you helped with and I can see how I can track my Apps performance is certain areas. Very cool!!

Thanks again!

buddhabelly · ‎08-30-2012

Thanks for your reply.

No "Time" is not listed as an extracted field in the side bar.

If you look at my first post, the bolded part is what the App writes out. None of those value pairs are available to select from the sidebar.

I tried your suggestion with the "rex" command but I get 0 results. Thanks for the pointer though! I also looked at "extract" but could not get any results with that either.

I looked at the help for "rex" but could not see what the "?P" and "d+" are doing in the command? Do you have any suggestions or pointers where I could go to figure this out?

Thanks again!!

lpolo · ‎08-29-2012

Yes you can.
I just noticed that in your log event section, you presented Time with "T" capital letter. Make sure your query has Time>your_value_threshold and not time>your_value_threshold.

buddhabelly · ‎08-29-2012

Thanks for the info. I have tried using both capital and non capital to no avail.

Maybe I need to write out my data differently? Just wite out the number? But again since it will be in a string I can't seem to figure out how to write the search statement in a way that will only pick up some of the events that are over a threshold.

How to extract numeric data from a String name value pair?

Update .. (aka formatting ate my backslashes)

Update .. (aka formatting ate my backslashes)

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life