https://community.splunk.com/t5/Splunk-Search/How-to-filter-by-time/m-p/505403#M141232 <P>Hi,</P><P>It didn't work got this error:</P><DIV class="alerts search-searchflashmessages"><DIV class="alert alert-error">Error in 'rex' command: The regex '(&lt;time&gt;\d+)' does not extract anything. It should specify at least one named group. Format: (?&lt;name&gt;...).</DIV></DIV><DIV class="job-status-container"><DIV class="shared-jobstatus"><DIV class="alert alert-error">The search job has failed due to an error. You may be able view the job in....</DIV></DIV></DIV><P>&nbsp;</P><P>I tried also but no results</P><P>index=prod-* "WEBSERVICES CALL ENDED"</P><P>|rex field=time "processing time:&lt;(?&lt;time&gt;.*)&gt; ms"</P><P>|where time&gt;10</P> Sun, 21 Jun 2020 23:02:37 GMT ycherbi 2020-06-21T23:02:37Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-by-time/m-p/505383#M141227 <P>Hi,</P><P>&nbsp;</P><P>I am using Splunk to monitor our REST API calls</P><P>search is</P><P>index=prod-* "WEBSERVICES CALL ENDED"</P><P>it gives&nbsp; me results, but I want to get only results when time&gt; 5000 ms&nbsp;</P><P>or get the slowest API response time by time field?</P><P>hoe can I do it?</P> Sun, 21 Jun 2020 16:31:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-by-time/m-p/505383#M141227 ycherbi 2020-06-21T16:31:39Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-by-time/m-p/505394#M141228 We need more information. Please share some same (anonymized) data. Sun, 21 Jun 2020 18:32:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-by-time/m-p/505394#M141228 richgalloway 2020-06-21T18:32:49Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-by-time/m-p/505399#M141229 <P>Hi,</P><P>Thank you for your reply,I will add more info</P><P>so this is my search</P><P>&nbsp;index=prod-* "WEBSERVICES CALL ENDED"</P><P>It will return records that indicate about my API call end&nbsp; (see image below)</P><P>As you can see we have processing time field in our logs and also time field (by Splunk) both are equal, I would to use this time field and get only API calls that processing time is longer than 5000ms ( add alerts).</P><P>Or get average API time, hope it more clear now</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 22 Jun 2020 16:02:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-by-time/m-p/505399#M141229 ycherbi 2020-06-22T16:02:48Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-by-time/m-p/505402#M141231 <P><SPAN>index=prod-* "WEBSERVICES CALL ENDED"</SPAN></P><P><SPAN>|rex field=time "(&lt;time&gt;\d+)"</SPAN></P><P><SPAN>|where time&gt;5000</SPAN></P><P>&nbsp;</P><P><SPAN>fire alert: event count &gt; 0</SPAN></P> Sun, 21 Jun 2020 21:17:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-by-time/m-p/505402#M141231 to4kawa 2020-06-21T21:17:26Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-by-time/m-p/505403#M141232 <P>Hi,</P><P>It didn't work got this error:</P><DIV class="alerts search-searchflashmessages"><DIV class="alert alert-error">Error in 'rex' command: The regex '(&lt;time&gt;\d+)' does not extract anything. It should specify at least one named group. Format: (?&lt;name&gt;...).</DIV></DIV><DIV class="job-status-container"><DIV class="shared-jobstatus"><DIV class="alert alert-error">The search job has failed due to an error. You may be able view the job in....</DIV></DIV></DIV><P>&nbsp;</P><P>I tried also but no results</P><P>index=prod-* "WEBSERVICES CALL ENDED"</P><P>|rex field=time "processing time:&lt;(?&lt;time&gt;.*)&gt; ms"</P><P>|where time&gt;10</P> Sun, 21 Jun 2020 23:02:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-by-time/m-p/505403#M141232 ycherbi 2020-06-21T23:02:37Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-by-time/m-p/505405#M141233 <P>Also this didnt work</P><P>&nbsp;</P><P>index=prod-* "WEBSERVICES CALL ENDED"</P><P>|rex field=time "(?&lt;time&gt;.*)"</P><P>|where time&gt;23</P> Sun, 21 Jun 2020 23:04:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-by-time/m-p/505405#M141233 ycherbi 2020-06-21T23:04:12Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-by-time/m-p/505406#M141234 <P class="lia-align-left">found it</P><P class="lia-align-left">&nbsp;</P><P>index=prod-* "WEBSERVICES CALL ENDED"&nbsp;</P><P>|rex field=time "(?&lt;time&gt;\d+)"</P><P>|where time&gt;1000</P> Sun, 21 Jun 2020 23:28:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-by-time/m-p/505406#M141234 ycherbi 2020-06-21T23:28:20Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-by-time/m-p/505450#M141249 <P>good job. please accept your answer. and I'm sorry for typo.</P> Mon, 22 Jun 2020 09:05:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-by-time/m-p/505450#M141249 to4kawa 2020-06-22T09:05:41Z