topic Re: How to edit my search to extract string value from an event and get the total count and range values? in Splunk Search

How to edit my search to extract string value from an event and get the total count and range values?

guru865 — Mon, 06 Mar 2017 20:26:51 GMT

Need to extract string from event and get the total count and range values .

I have event logs with a "response time (25) sec" and i would like to have the number in () extracted and total count with values in () and check how many are <25 sec and >25 .

basesearch | feildextracted"response time value from the bracket ()"= * | eval time = case(rep<=2, rep >20, ) | stats count as total by duration

Re: How to edit my search to extract string value from an event and get the total count and range values?

somesoni2 — Mon, 06 Mar 2017 21:07:25 GMT

Give this a try

your base search | rex "response time \((?<response_time>[\d\.]+)\)" | stats count by response_time

This should give count for each value of response_time.

Re: How to edit my search to extract string value from an event and get the total count and range values?

niketn — Mon, 06 Mar 2017 21:11:32 GMT

Following field extraction should work in your case however, you should consider
1) either providing more sample data/mock data
2) Interactive Field Extraction within Splunk to let Splunk come up with appropriate regular expression as per your data

rex field=_raw "response\stime\s\((?<response_time>\d+)\)\ssec"

For coming up with ranges you can try the following

Option 1: Splunk's rangemap command which generates range field

| rangemap field=response_time green=0-2 blue=2-20 red=20-25 default=gray
| stats count as Total by range

Option 2 If you want to do the same through case you can try the following:

| eval range=case(response_time<=2,"green",response_time>2 AND response_time<=20,"blue",response_time>20 AND response_time<=25,"red",1==1,"gray")
| stats count as Total by range

The same can also be done via nested if command but will become complicated with multiple ranges.

Re: How to edit my search to extract string value from an event and get the total count and range values?

woodcock — Mon, 06 Mar 2017 21:28:28 GMT

Like this:

basesearch | rex "\((?<duration>[\d\.]+)\)" | stats count as total by duration | search count=25

Re: How to edit my search to extract string value from an event and get the total count and range values?

guru865 — Mon, 06 Mar 2017 22:51:47 GMT

Thank You Niketnilay .

Re: How to edit my search to extract string value from an event and get the total count and range values?

guru865 — Mon, 06 Mar 2017 22:52:01 GMT

Thank you Woodcock .