topic Re: Query execution time in Splunk Search

Query execution time

benji00 — Tue, 29 Sep 2020 23:40:52 GMT

Hello,

When searching through Splunk the following request:
index=3dexperience host=io-ws-3de*pr COMPLETE_QUERY
I am receiving events as written below:
2019-03-12 08:32:40.629 | [http-nio-8094-exec-4] | DEBUG | c.d.federated_search.utils.Log | | | | [577] ##### [TIMER][CVServlet][COMPLETE_QUERY][113][ms] #####
2019-03-12 08:27:09.782 | [http-nio-8094-exec-6] | DEBUG | c.d.federated_search.utils.Log | | | | [444] ##### [TIMER][CVServlet][COMPLETE_QUERY][118][ms] #####

My final objective is to have a timechart of the COMPLET_QUERY execution time in ms with the content of the next [] after the [COMPLETE_QUERY] one.
Any idea? How to know if the log is a known format?
I am currently trying by extracting new fields and using delimiters...

Re: Query execution time

nickhills — Tue, 12 Mar 2019 10:20:44 GMT

Hi @benji00

I'm not clear if you have already extracted the fields - if not that would be the best approach.

However, a quick and dirty way is to do the extraction inline:

index=3dexperience host=io-ws-3de*pr COMPLETE_QUERY|rex "COMPLETE_QUERY\]\[(?P<response_time>\d+)"|timechart avg(response_time)

Re: Query execution time

benji00 — Wed, 13 Mar 2019 12:18:15 GMT

Hello @nickhillscpl,
Thanks for you feedback.
Yes finally I used the extractong fields mode by using delimiters and it is working correctly. Not sure if it is the most efficient way but it is working.
Your way seems quite clean... why do you say it is a dirty way ?
Anyway I am going to accept your comment.