topic Re: How to extract a field that has value more than 10 sec? in Splunk Search

How to extract a field that has value more than 10 sec?

splunknoob2020 — Tue, 15 Dec 2020 04:31:20 GMT

I have a splunk query that gives me all the logs of slow queries(AQL) but I need to know which ones have taken more than 10 sec. I need to compare them with previous version slow queries and see if there is any improvement?

My splunk query:

index=hello_world host_zone=pr source="*hi*" "slow query"

Sample log:

slow query: 'FOR s IN abcdef FILTER LOWER(ghijk) == '123456789' LET serviceId = lmno FOR v IN pqrst GRAPH uvw_xyz RETURN v', bind vars: {}, took: 5.384533 s

Re: How to extract a field that has value more than 10 sec?

gcusello — Tue, 15 Dec 2020 07:49:38 GMT

Hi @splunknoob2020,

your problem is to extract the field or to compare results?

if it's extracting field, you can use a regex or the field extractor, using regexes:

| rex "took:\s+(?<took>[^ ]+)"

that you can test at https://regex101.com/r/b9Mk8r/1

Ciao.

Giuseppe

Re: How to extract a field that has value more than 10 sec?

splunknoob2020 — Tue, 15 Dec 2020 11:22:59 GMT

Thank you for the response, @gcusello . Your query helped me in extracting the field, now I need to get all the slow queries which took more than 10 sec. Let's say in a tabular format I would like to see the slow query and the time it took to run in two columns?

Re: How to extract a field that has value more than 10 sec?

gcusello — Tue, 15 Dec 2020 13:00:08 GMT

Hi @splunknoob2020,

not you have to create your search adding the condition (>10 sec) and the fields to list, something like this:

index=hello_world host_zone=pr source="*hi*" "slow query" | rex "took:\s+(?<took>[^ ]+)" | where took>10 | table <your-fields>

Ciao.

Giuseppe