topic Re: Need help with a greater than in seconds in Splunk Search

Need help with a greater than in seconds

trehman — Tue, 29 Sep 2020 12:46:56 GMT

My search alert filter: host=web-* "\"response_code\": 5*," OR "\"message\": \"Application Error\"" OR "\"response_code\": 0"\"total_time\" userloans

QUESTION. I need to modify my alert so it captures all responses that has greater than total_time of 9 secs (below sample). What should I add to capture this to my alert above? Any help would be great!

E, [2017-02-11T03:09:33.426066 #58] ERROR -- : {
"url": "http://12345/A.v.x455.adfadfr.co/loans/userloans",
"method": "get",
"request_headers": {
"Content-Type": "application/json",
"client_ip": "[FILTERED]",
},
"request_body": null,
"response_code": 0,
"response_body": "",
"total_time": 9.0,
"starttransfer_time": 0.0,
"appconnect_time": 0.0,
"pretransfer_time": 0.0001,
"connect_time": 0.0,
"namelookup_time": 0.0,
"redirect_time": 0.0
}

Re: Need help with a greater than in seconds

pradeepkumarg — Sat, 11 Feb 2017 07:30:25 GMT

If you don't have it already, you need to extract the total time into a field like below and filter on it

your base search | rex "(?i)\Wtotal_time\W{2}(?P<TOTAL_TIME>\.\S+)\," | where TOTAL_TIME > 9

The above rex might not be perfect, but you get the idea

Re: Need help with a greater than in seconds

gokadroid — Sat, 11 Feb 2017 07:41:03 GMT

Hope this helps:

host=web- "\"response_code\": 5," OR "\"message\": \"Application Error\"" OR "\"response_code\": 0"\"total_time\" userloans
| rex field=_raw "\"total_time\":\s*(?<totalTime>[^,\s]+)"
| where totalTime > 9