Parsing us and ms times (e.g. q=15ms)

Oren — Thu, 15 Jul 2010 02:51:49 GMT

We have a log line that looks like:

Jul 14 15:47:34 127.0.0.1 1 [000004ff000216970000489c] Serv foo.com 158578_40df389_527b/127.0.0.1:10465 2/10 ql=0 rt=49us wait=0ms sok=2ms tot=2ms sv=175ms ut=7us xfr=1093944

I'd like to be able to run a query where I find all entries where the wait is greater than 200ms for example. Splunk is parsing it as a text field right now though. Suggestions on how to get this numeric? I don't care about the units really - the fact that some numbers are milliseconds and some are microseconds doesn't matter in splunk if that helps.

Re: Parsing us and ms times (e.g. q=15ms)

ziegfried — Thu, 15 Jul 2010 03:10:07 GMT

If your events would contain "q=15ms"you could extract the numerical value using the rex command:

<your search> | rex field=q "(?<q_numeric>\d+)(?<q_unit>\D+)"

The field q_numeric would then contain the numeric value 15 and q_unit with the value "ms"

You could also normalize the value of q_numeric like this:

... | eval q_us=if(q_unit="ms", q_numeric*1000, q_numeric)

and filter out those events > 200ms with

... | where q_us>200000

topic Parsing us and ms times (e.g. q=15ms) in Splunk Search

Parsing us and ms times (e.g. q=15ms)

Re: Parsing us and ms times (e.g. q=15ms)