Solved: Extracting values for table

reinharn · ‎07-03-2019

I have events in my logs that look like

{
     linesPerSec:    1694.67    
     message:    Status:    
     rowCount:   35600000   
     severity:   info
}

when i make a search like:

index="apps"  app="my-api" message="*Status:*" | table  _time,  linesPerSec, rowCount

This is what my table ends up looking like

How do I get the number value away from the key for both linesPerSec and rowCount? I want to see all instances. I tried using values(linesPerSec) but that seemed to aggregate only unique.

Thanks,

Nate

rbechtold · ‎07-03-2019

Hey Nate,

This simple extraction should do the trick.

...BASE SEARCH...
 | rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)"

View solution in original post

rbechtold · ‎07-03-2019

Hey Nate,

This simple extraction should do the trick.

...BASE SEARCH...
 | rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)"

reinharn · ‎07-03-2019

Thanks for the response!

If I wanted to get those values into the table how would I go about that?

index="apps"  app="my-api" message="*\Status:*" | table linesPerSec, rowCount | rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)"

I still get the table values as the key/value.

rbechtold · ‎07-03-2019

No problem!

Since the fields don't exist until after the extraction is complete, you'll need to move the table to be after your extraction in order to see them.

This should correct the issue:

index="apps"  app="my-api" message="*\Status:*" | rex field=_raw "linesPerSec\:\s+?(?<linesPerSec>\S+)[\S\s]+rowCount\:\s+?(?<rowCount>\S+)" | table _time linesPerSec, rowCount

Let me know if there are any problems!

reinharn · ‎07-03-2019

Just tried that. Still doesn't seem to like to separate the values.

reinharn · ‎07-03-2019

https://imgur.com/a/2v3OcMa

rbechtold · ‎07-03-2019

Let's try a different approach -- extracting directly from the fields themselves.

Could you give this a try for me?

index="apps"  app="my-api" message="*\Status:*" 
| rex field=linesPerSec "(?<LPS>[\d\.]+)"
| rex field=rowCount "(?<RC>\d+)"
| table _time LPS RC

Since I'm not exactly sure if the problem is coming from the fields or the extraction, I'm just going to bypass both and create two new fields: LPS (linesPerSec) and RC (rowCount).

These should contain the correct values.

reinharn · ‎07-03-2019

That worked! Thanks so much!

aohls · ‎07-03-2019

You could use a regex to extract just the number.|rex field=_raw "linesPerSec (?<linesPerSec>\d+$)"|rex field=_raw "rowCount (?<rowCount>\d+$)"

EDIT: Cant get it to show but between the ? and \d would be the value name you want to use in the search surrounded by <>.

This would get you just the number values. If you are using the log a lot also you should look at setting up a field extraction; it would make it easier in the future.

Extracting values for table

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk