I have the following search.
index=ironstream IFCID=1 LUWID_LUNAME=DBTP
| rex "QWSAPROC_0001\":\"(?P<proc_type>[0-9,A-Z]+)\""
| rex "**QWSAPSRB_0001\":\"(?P<srb_tm>[0-9]+)\**""
| rex "QWSAPSRB_ZIIP_0001\":\"(?P<ziip_srb_tm>[0-9]+)\""
| rex "QWSAEJST_0001\":\"(?P<tcb_tm>[0-9]+)\""
| **rex delta srb_tm as srb_tmd**
| eval srb_tmd=srb_tmd/1000000
| eval ziip_srb_tm=ziip_srb_tm/1000000
| eval srb_tm2=srb_tm2/1000000
| eval tcb_tm=tcb_tm/1000000
| timechart span=5min **avg(srb_tmd)** as PREEMPT_SRB avg(ziip_srb_tm) as PREEMPT_IIP_SRB avg(srb_tm2) as SRB_TIME avg(tcb_tm) as TCB_TIME limit=25
I need to find the delta between the current and previous variable.
It seems that the delta command is not working no mater where I put it.
I don't think the average is the correct command in the timechart when I really need it to plot the delta between the first and second, third and second ect.... If I can get the first one working, then the rest would be a clone.
Here is what the input looks like.
The error I am getting is :
Error in 'rex' command: The regex 'delta' does not extract anything. It should specify at least one named group. Format: (?...).
DATETIME: 2018-12-28 09:54:01.03 -0600
IFCID: 1
LUWID_LUNAME: DBTP
MFSOURCETYPE: SMF100
QWSAEJST_0001: 4188699248
QWSAEJST_0002: 998394598
QWSAEJST_0003: 1972500005
QWSAEJST_0004: 96287
QWSAPROC_0001: MSTR
QWSAPROC_0002: DBM1
QWSAPROC_0003: DIST
QWSAPROC_0004: IRLM
**QWSAPSRB_0001:** 4246164184
QWSAPSRB_0002: 4261556787
QWSAPSRB_0003: 31787112375
QWSAPSRB_0004: 0
QWSAPSRB_ZIIP_0001: 3708120592
QWSAPSRB_ZIIP_0002: 38980597677
QWSAPSRB_ZIIP_0003: 44522321198
QWSAPSRB_ZIIP_0004: 0
QWSASRBT_0001: 4962927087
QWSASRBT_0002: 4445020542
QWSASRBT_0003: 32350120018
QWSASRBT_0004: 1260340950
Sincerely,
Steve B.
Like this:
...
| rex mode=sed "s/:\s+/=/g s/[\r\n]+/, /g"
| kv
| rename QWSAPROC_0001 AS proc_type, QWSAPSRB_0001 AS srb_tm, QWSAPSRB_ZIIP_0001 AS ziip_srb_tm, QWSAEJST_0001 AS tcb_tm
| delta srb_tm AS srb_tmd
| eval srb_tmd=srb_tmd/1000000
| eval ziip_srb_tm=ziip_srb_tm/1000000
| eval srb_tm2=srb_tm2/1000000
| eval tcb_tm=tcb_tm/1000000
| timechart span=5min limit=25 avg(srb_tmd) as PREEMPT_SRB avg(ziip_srb_tm) as PREEMPT_IIP_SRB avg(srb_tm2) as SRB_TIME avg(tcb_tm) as TCB_TIME
The correct delta
syntax with a rename would be ... | delta srb_tm as srb_tmd | ...
The way you had it included a superfluous rex
command between the pipe and the delta, resulting in the posted error.