field extraction not working with transforming com...

sansay · ‎03-03-2014

I wrote an inline field extraction like this:

| rex "splunk[\s]+[\d]+[\s]+[\d]+[\s]+(?<CPUPCT>[\d]+\.[\d]+)[\s]+[\d]{2}:[\d]{2}:[\d]{2}[\s]+.+splunkd"

It works and I see my field CPUPCT in the "fields" pane on the left. If I click on it, I get the usual top 10 values and all looks good. But, if I add:

| timechart avg( CPUTPCT )

Then I get "No results found. Inspect ..."

Any idea why that happens?

somesoni2 · ‎03-05-2014

Try this

index=os sourcetype=ps host=your_splunk_indexers* splunkd pctCPU | rex "splunk[\s]+[\d]+[\s]+[\d]+[\s]+(?<CPUPCT>[\d]+\.[\d]+)[\s]+[\d]{2}:[\d]{2}:[\d]{2}[\s]+.+splunkd" | convert num(CPUPCT) | timechart avg(CPUPCT)

sansay · ‎03-27-2014

Thanks for all your efforts MuS.
I just tried it with the simplest way you proposed, and, to my great surprise, it worked. The one thing I can tell you is that the simplest way didn't work originally. I remember that I had to filter for pctCPU so that I don't get to much data to sift through, and then strangely enough, our infrastructure team ran some updates on the hosts, and it stopped working altogether. So I went overboard with more complex approaches. But now, I just removed the "pctCPU" from the search, and it's back to working as it should have in the first place. So thank you so much!

MuS · ‎03-06-2014

for me this works fine on Splunk 6.0 Build 182037:

index=os sourcetype=ps splunkd | rex "splunk[\s]+[\d]+[\s]+[\d]+[\s]+(?<CPUPCT>[\d]+\.[\d]+)[\s]+[\d]{2}:[\d]{2}:[\d]{2}[\s]+.+splunkd" | timechart avg(CPUPCT)

btw, why are you extracting a existing field? You could use the pctCPU field directly like this:

index=os sourcetype=ps splunkd | timechart avg(pctCPU)

sansay · ‎03-05-2014

Sorry, it doesn't work.
As a matter of fact I think I looked into that possibility. But I didn't expect it to work because when running the query without timechart, if I open the CPUPCT field in the left pane, it identifies it as "CPUPCT (numeric)".

MuS · ‎03-03-2014

Hi sansay,

don't put any spaces around your fieldname in the avg command and check your fieldname: you're extracting CPUPCT but you are using CPUTPCT in the timechart.

cheers, MuS

sansay · ‎03-05-2014

As I explained in the statement, the CPUPCT values appear in the fields pane, only, and ONLY IF THE SEARCH IS NOT FOLLOWED BY A TRANSFORMING COMMAND such as stats, chart, timechart etc.
This is the issue I am trying to resolve. Inspection of the search just tells me that the search with timechart found nothing, which is just impossible since it does bring back logs, and even extract the CPUPCT field without timechart.

sansay · ‎03-05-2014

Here is the complete query:
index=os sourcetype=ps host=your_splunk_indexers* splunkd pctCPU | rex "splunk[\s]+[\d]+[\s]+[\d]+[\s]+(?[\d]+.[\d]+)[\s]+[\d]{2}:[\d]{2}:[\d]{2}[\s]+.+splunkd"

Naturally you will have to replace "your_splunk_indexers" with the name you use in your splunk system.
The logs I get back:
USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY S ELAPSED COMMAND ARGS
root 1 18 0.0 00:01:32 0.0 756 10372 ? S 47-23:31:31 init [3]

etc.

MuS · ‎03-04-2014

either you really have no results or click the inspect link to see what is marked in yellow, this is the search which brings back nothing.

sansay · ‎03-04-2014

Hi MuS,
The T was a typo I made when I wrote my question here, and the spaces weren't in my experiments. So, sorry but your suggestion changes nothing. Did you try repeating this?

field extraction not working with transforming commands

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...