Solved: Re: Search split value with spaces

oferprtz · ‎07-08-2013

Hi,

Newbie here 🙂
trying to search value that actually split with spaces:

DEBUG PerformanceMonitor [(null)] - PerformanceMonitor resource: DataBase elapsed : 3250 details: DataBase:
DEBUG PerformanceMonitor [(null)] - PerformanceMonitor resource: DataBase elapsed : 11204 details: DataBase:

im trying to create a search or chart that will min and max the values of the elapsed.
since the values are seperated with spaces i cannot achieve that.

any ideas?

thanks,
ofer

ranjyotiprakash · ‎07-09-2013

you can use the following command rex command to extract the elapsed field :

.... | rex field=_raw ".*\s+elapsed\s+:\s+(?<elapsed>\d+)\s"

and then use timechart, table, stats etc commands based upon your requirement.

View solution in original post

oferprtz · ‎07-09-2013

Thank you! found the issue, it was set as wrong sourcetype, now its working perfect!

thanks!

aholzer · ‎07-09-2013

I'd have to take a look at your field extraction definition, but I'm guessing that you stored it for the wrong sourcetype, or you have a typo.

The other thing that could be happening is that your "elapsed" field occurs so rarely that it isn't one of your "interesting fields", since it doesn't appear in 50% or more of your events. In which case you would see it if you clicked on the "edit" button next to "selected fields" and look for "elapsed".

ranjyotiprakash · ‎07-09-2013

you can use the following command rex command to extract the elapsed field :

.... | rex field=_raw ".*\s+elapsed\s+:\s+(?<elapsed>\d+)\s"

and then use timechart, table, stats etc commands based upon your requirement.

oferprtz · ‎07-09-2013

great stuff ranjyotiprakash! seems that the search works flawless, now ive got 2 methods of use!

thanks!

aholzer · ‎07-09-2013

@oferprtz, what @ranjyotiprakash says here is also a good method. I simply prefer creating a field extraction, for a couple of reasons:
1) It helps to be consistent where you store fields of interest to you
2) you don't have to reuse the code in every search you want this field included in

But what @ranjyotiprakash says is a great method to confirm that the regex for the field extraction is in fact working.

oferprtz · ‎07-09-2013

Thanks for the quick response aholzer!!
one more question 🙂
ive created new field extraction and saved it, but when i do a search the field 'elapsed' wouldnt show in the fields.
its shows up only when i use this line:
PerformanceMonitor | rex "elapsed\s:\s(?[^\s]+)\s"
in the search line.
what im missing here?

thanks,
ofer.

aholzer · ‎07-08-2013

the regex above is supposed to escape all the "s" after elapsed, but due to formatting it was lost when I pasted it in the comment. Here it is again:
"elapsed\s:\s(?[^\s]+)\s"

aholzer · ‎07-08-2013

I'd suggest creating a field extraction for your values. That way you can later reference the field in your chart and / or search.

You'll need to use some regex to get the values properly. You can use something like this:
"elapsed\s:\s(?[^\s]+)\s"

Here's some documentation on field extraction:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsatsearchtime

Search split value with spaces

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases