Splunk Search

Can you help me with a problem I'm having with the delta command for microseconds?

Mustang1964s
New Member

I have the following search.

index=ironstream IFCID=1 LUWID_LUNAME=DBTP
|           rex "QWSAPROC_0001\":\"(?P<proc_type>[0-9,A-Z]+)\""
|           rex "**QWSAPSRB_0001\":\"(?P<srb_tm>[0-9]+)\**""
|           rex "QWSAPSRB_ZIIP_0001\":\"(?P<ziip_srb_tm>[0-9]+)\""
|           rex "QWSAEJST_0001\":\"(?P<tcb_tm>[0-9]+)\""
|           **rex delta srb_tm as srb_tmd**
|           eval srb_tmd=srb_tmd/1000000
|           eval ziip_srb_tm=ziip_srb_tm/1000000
|           eval srb_tm2=srb_tm2/1000000
|           eval tcb_tm=tcb_tm/1000000
|           timechart span=5min **avg(srb_tmd)** as PREEMPT_SRB avg(ziip_srb_tm) as PREEMPT_IIP_SRB avg(srb_tm2) as SRB_TIME avg(tcb_tm) as TCB_TIME limit=25

I need to find the delta between the current and previous variable.

It seems that the delta command is not working no mater where I put it.

I don't think the average is the correct command in the timechart when I really need it to plot the delta between the first and second, third and second ect.... If I can get the first one working, then the rest would be a clone.

Here is what the input looks like.
The error I am getting is :

Error in 'rex' command: The regex 'delta' does not extract anything. It should specify at least one named group. Format: (?...).

     DATETIME:   2018-12-28 09:54:01.03 -0600   
 IFCID:  1  
 LUWID_LUNAME:   DBTP   
 MFSOURCETYPE:   SMF100 
 QWSAEJST_0001:  4188699248 
 QWSAEJST_0002:  998394598  
 QWSAEJST_0003:  1972500005 
 QWSAEJST_0004:  96287      
 QWSAPROC_0001:  MSTR   
 QWSAPROC_0002:  DBM1   
 QWSAPROC_0003:  DIST   
 QWSAPROC_0004:  IRLM   
 **QWSAPSRB_0001:**  4246164184 
 QWSAPSRB_0002:  4261556787 
 QWSAPSRB_0003:  31787112375    
 QWSAPSRB_0004:  0  
 QWSAPSRB_ZIIP_0001:     3708120592 
 QWSAPSRB_ZIIP_0002:     38980597677    
 QWSAPSRB_ZIIP_0003:     44522321198    
 QWSAPSRB_ZIIP_0004:     0  
 QWSASRBT_0001:  4962927087 
 QWSASRBT_0002:  4445020542 
 QWSASRBT_0003:  32350120018    
 QWSASRBT_0004:  1260340950 

Sincerely,

Steve B.

Tags (2)
0 Karma

woodcock
Esteemed Legend

Like this:

...
| rex mode=sed "s/:\s+/=/g s/[\r\n]+/, /g"
| kv
| rename QWSAPROC_0001 AS proc_type, QWSAPSRB_0001 AS srb_tm, QWSAPSRB_ZIIP_0001 AS ziip_srb_tm, QWSAEJST_0001 AS tcb_tm
| delta srb_tm AS srb_tmd
| eval srb_tmd=srb_tmd/1000000 
| eval ziip_srb_tm=ziip_srb_tm/1000000 
| eval srb_tm2=srb_tm2/1000000 
| eval tcb_tm=tcb_tm/1000000 
| timechart span=5min limit=25 avg(srb_tmd) as PREEMPT_SRB avg(ziip_srb_tm) as PREEMPT_IIP_SRB avg(srb_tm2) as SRB_TIME avg(tcb_tm) as TCB_TIME
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The correct delta syntax with a rename would be ... | delta srb_tm as srb_tmd | ...

The way you had it included a superfluous rex command between the pipe and the delta, resulting in the posted error.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...