topic Re: Need to extract elapsed time in Splunk Search

Need to extract elapsed time

vipulg83 — Wed, 30 Sep 2020 05:02:19 GMT

hi,

I have a query with the below mentioned resultset

logger: com.optum.bh.benefit.plan.api.BhBenefitPlansResource
message: bhben-plan-api:bHPlanView(), env=prod packageId = 1438939 timeUsed(ms) = 19
properties: { [+]
}
severity: DEBUG
thread: http-nio-8080-exec-5
}
Show as raw text
host = hec-splunk.optum.commessage = bhben-plan-api:bHPlanView(), env=prod packageId = 1438939 timeUsed(ms) = 19source = bhwebservice.logsourcetype = cba_shared_components:scwebservice:error_log

Need to extract timeUsed(ms) field so that I can build a table for the elapsed time for the requests

Re: Need to extract elapsed time

richgalloway — Fri, 17 Apr 2020 12:07:37 GMT

This should do it.

... | rex "timeUsed\(ms) = (?<timeUsed>\d+)"

Re: Need to extract elapsed time

vipulg83 — Fri, 17 Apr 2020 12:16:38 GMT

Error in 'rex' command: Encountered the following error while compiling the regex 'timeUsed(ms) = (?\d+)': Regex: unmatched closing parenthesis

Re: Need to extract elapsed time

to4kawa — Fri, 17 Apr 2020 12:36:31 GMT

you fix it

Re: Need to extract elapsed time

vipulg83 — Fri, 17 Apr 2020 12:37:40 GMT

working on that

Re: Need to extract elapsed time

vipulg83 — Fri, 17 Apr 2020 12:47:51 GMT

Updated it a bit

rex "timeUsed(ms) = (?\d+)"

Re: Need to extract elapsed time

richgalloway — Fri, 17 Apr 2020 12:48:01 GMT

That error message usually means there's a missing backslash \\.

Re: Need to extract elapsed time

vipulg83 — Wed, 30 Sep 2020 05:02:22 GMT

Done, thanks

index=cba_shared_components timeUsed(ms)| rex "timeUsed(ms) = (?\d+)"|table timeUsed

Re: Need to extract elapsed time

vipulg83 — Wed, 30 Sep 2020 05:02:24 GMT

Done, thanks

index=cba_shared_components timeUsed(ms)| rex "timeUsed(ms) = (?\d+)"|table timeUsed

Re: Need to extract elapsed time

vipulg83 — Fri, 17 Apr 2020 13:11:34 GMT

was able to build a dashboard guys, thanks for your help

rex "timeUsed(ms) = (?<timeUsed>\d+)"|table timeUsed | eval timeUsedBucket=case(timeUsed<=100,"0-100ms",timeUsed<=200,"101-200ms",timeUsed<=500,"201-500ms",timeUsed<=1000,"501-1000ms",timeUsed<=5000,"1001-5000ms",1==1,"above 5000ms")| stats count by timeUsedBucket

Re: Need to extract elapsed time

richgalloway — Fri, 17 Apr 2020 14:38:14 GMT

Use backticks to keep the system from eating your code.
If your problem is resolved then please accept the answer to help future readers.