topic Re: Extracting values from a event log search for key value pairs in Splunk Search

Extracting values from a event log search for key value pairs

mpd202004 — Mon, 20 Apr 2020 00:55:10 GMT

Hello community,

I am using search to get the values for ‘runtime’ and trying to get overall stats for a runtime values in the log for a given time period.

For my search command, I get the output with multiple rows as per below ( single row) -

host: abc-lyui-09
   level: info
   msg: {"key”:”#’abc.xyz.services.abc-def/call-qwe-rt-nats","return":"{\"status\":\"error\",\"errors\":[{\"code\":\"server-error\"}],\"timestamp\":\"2020-04-19T17:38:25.147Z\"}","time":600474579345999,"start-time":600473689740122,"state":"return","stop-time":600474579339135,"thread":48703,"runtime":889.599013,"correlation-id":"f0c7e1d1-db8d-4fb7-b564-e89c6fc625f3"}
   timestamp: 2020-04-19 17:38:25.150+0000

I am trying to extract values for ‘runtime’ ( example above with 889.599013) from the log for a given time range to find the trend ( e.g. last 24 hrs).

The example output can be for a selected time period.

timestamp, runtime , correlation-id

Whats the best way to get the output? I am novice to splunk search and reporting.

Thanks,

Re: Extracting values from a event log search for key value pairs

to4kawa — Mon, 20 Apr 2020 01:44:38 GMT

use rex . this command extracts the field. you can use https://regex101.com to check REGEX.
use table . this command displays selected fields.

reference:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Table

sample:

| makeresults 
| eval _raw="host: abc-lyui-09
   level: info
   msg: {\"key”:”#’abc.xyz.services.abc-def/call-qwe-rt-nats\",\"return\":\"{\\\"status\\\":\\\"error\\\",\\\"errors\\\":[{\\\"code\\\":\\\"server-error\\\"}],\\\"timestamp\\\":\\\"2020-04-19T17:38:25.147Z\\\"}\",\"time\":600474579345999,\"start-time\":600473689740122,\"state\":\"return\",\"stop-time\":600474579339135,\"thread\":48703,\"runtime\":889.599013,\"correlation-id\":\"f0c7e1d1-db8d-4fb7-b564-e89c6fc625f3\"}
   timestamp: 2020-04-19 17:38:25.150+0000" 
| rex max_match=3 "timestamp\W+(?<timestamp>[^\"]+Z)|runtime\W+(?<runtime>[\d.]+)|correlation-id\W+(?<correlation_id>[\w-]+)"

Re: Extracting values from a event log search for key value pairs

mpd202004 — Mon, 20 Apr 2020 03:08:03 GMT

Thanks @to4kawa for a quick reply. I was able to use for a single recurrence.

I have a followup query as how to combine it with search command evaluate overall output for a specified time range. The raw data above is the output from the search command for a single occurence.

The search command I have used is -

call-abc-dp-nats runtime

which emits the output for events for multiple rows in the format of raw data as per above.

How to pipe the output from search command in 'eval' to get results across all the rows (events) ?

Re: Extracting values from a event log search for key value pairs

to4kawa — Mon, 20 Apr 2020 07:02:33 GMT

see following:

https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Answers/Questions#Details.2C_details.2C_details

https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial
https://www.splunk.com/en_us/training/courses/splunk-fundamentals-1.html

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval