- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract help...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract help...
Hi,
We log our filesystem utilization to Splunk, and I'd like to extract percentage used field, but the formats for Windows/*Nix are different. Was wondering if there are any regex experts out there that could take the two examples and create a universal regex that grabs the percent used utilization:
Nix (percentage is after "Use%")
14:42:21 05/05/2015 good 1048593817 [Linux][Baseline][SERVERA][FileSystem][/tmp] FileSystems\/tmp\Use%=1% 11:33243 0 1
Windows (percentage is after bracket and before %full):
14:56:34 05/05/2015 good 1039182967 [Windows][Baseline][ei0610vwin][DriveSpaceFree][C-MBFree] 93.414% full, 3372MB free, 51197MB total 2:251 93.414 3372
TIA...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello! Here is what you can do. Working both for Windows/*Nix filesystems!
.....|rex field=_raw "^[^\n]*Use\%=(?P<tmpuse>\d+)"|rex field=_raw "^(?:[^ \n]* ){1,8}(?P<tmpuse>[0-9.]+)\%\s*full"|table tmpuse
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This gave me an error - perhaps something was translated when posting? Is there a way to make this an extract?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is what to type.
|rex field=_raw "^[^\n]Use\%=(?P<tmpuse>\d+)"|rex field=_raw "^(?:[^ \n] ){1,8}(?P<tmpuse>[0-9.]+)\%\s*full"|table tmpuse
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, not working though. Comes back blank.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is the text editor. replace "<" with < and ">"with > in the code bellow
...|rex field=_raw "^[^\n]Use%=(?P<tmpuse>d+)"|rex field=_raw "^(?:[^ \n] ){1,8}(?P<tmpuse>[0-9.]+)\%s*full"|table tmpuse
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried that:
|rex field=_raw "^[^\n]Use%=(?P<tmpuse>d+)"|rex field=_raw "^(?:[^ \n] ){1,8}(?P<tmpuse>[0-9.]+)\%s*full"|table tmpuse
Doesn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Always errors in your above code! Escape all % caracters. And put a star(*) after all "[^ \n]", and do not forget to replace "<" as mentioned earlier.
See my first query above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
([\d\.]*)%
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try mine? Here is the full search:
... | rex "(?<myPct>[\d\.]*)%" | table myPct
Splunk APM: New Product Features + Community Office Hours Recap!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
A Guide To Cloud Migration Success
