topic Re: How to format the SPL as code? in Splunk Search

How to format the SPL as code?

venkat0896 — Wed, 21 Aug 2019 08:12:40 GMT

Hi,

I am working on a dashboard. i am creating a table to monitor the count, average response time and maximum response time of the Api calls.

I need some assistance with the rex field
here is my logger:

2019-08-20 10:37:02,690 INFO package name [header-values] [METRICS] Response Time for POST /service url: 1658 ms, httpResponseCode=200

here is my search query

source="/log/server.log"
/api1
OR /api2
OR /api3
"[METRICS] Response Time" 
| rex field=_raw " (?<Request>/.*):" 
| rex field=_raw "(?<Time>.*?)ms" 
| stats  count as Total,  
avg(Time) as "Average Response Time (ms)", 
max(Time) as "Maximum Response Time (ms)" by Request

The table is generating but only the count is working. please assist with rex field to get the average response time
Expected result

Request Count Average response time Maximum response time
/api1        1               ms                       ms
/api2         1              ms                        ms

Thanks in advance !!

Re: How to format the SPL as code?

venkat0896 — Wed, 21 Aug 2019 12:41:46 GMT

@ansusabu can you take a look on this ?

Re: How to format the SPL as code?

aohls — Wed, 21 Aug 2019 12:50:39 GMT

Your event looks to have a space before ms, have you confirmed Time is getting values?
Maybe| rex field=_raw "(?.?) ms" would work.
Edit: not displaying right but (?<Time>.?) ms

Re: How to format the SPL as code?

richgalloway — Wed, 21 Aug 2019 13:06:53 GMT

Please edit your question to format the SPL as code. Do that by highlighting the SPL and then clicking the 101010 icon. Then please correct the rex statements.

Re: How to format the SPL as code?

venkat0896 — Wed, 21 Aug 2019 13:08:52 GMT

@aohls
2019-08-20 10:37:02,690 INFO package name [header-values] [METRICS] Response Time for POST /service url: 1658 ms, httpResponseCode=200
1658 is the value.
i tried leaving a space before ms .. not working

Re: How to format the SPL as code?

aohls — Wed, 21 Aug 2019 14:22:53 GMT

We have ms within our logs as well; the focus log section I used to test was "=2074 ms"
(?<Time>.?)ms This did not work for me, no results
(?<Time>.?) ms Has a space and works ok but only gets the end number, 4 in my case.
(?<Time>\d+) ms This worked the best as it is getting the full number.

Re: How to format the SPL as code?

venkat0896 — Wed, 21 Aug 2019 14:34:47 GMT

Yes perfect @aohls

Re: How to format the SPL as code?

cathalmcginley — Wed, 21 Aug 2019 16:39:35 GMT

I find it useful to check my regexes with a tool like Regex 101 before plugging it into rex commands.

 | rex "(?<Request>\/.*):"
 | rex "(?<Time>\d+) ms"

As aohls mentioned, you need a space before the ms, but also you should be capturing more than a single character. I've specified one or more digits.
Similarly, you need to specify more than a single character for the Request path.

Re: How to format the SPL as code?

niketn — Wed, 30 Sep 2020 01:50:54 GMT

@venkat0896 instead of having two rex on _raw you can write a single i.e. | rex "(?<api_name>\/[^\:]+)\:\s(?<Time>[^\s]+)\sms,"
Following is a run anywhere search based on your data.

| makeresults
| fields - _time
| eval _raw="2019-08-20 10:37:02,690 INFO [package name] (default task-248) [header-values] [METRICS] Response Time for POST /base/one/two: 1658 ms, httpResponseCode=200"
| rex "(?<api_name>\/[^\:]+)\:\s(?<Time>[^\s]+)\sms,"
| fields api_name Time _raw