https://community.splunk.com/t5/Splunk-Search/How-to-extract-and-compute-fields-from-a-MongoDB-log/m-p/236125#M70131 <P>Hello, </P> <P>I am new to Splunk, can you help me figure out to extract and fields from logs that look like the below</P> <PRE><CODE>2016-10-06T21:22:15.285+0000 I COMMAND [conn337418] command PersoTestServiceDB.$cmd command: update { update: "Test_Stage", updates: 1000, ordered: false, shardVersion: [ Timestamp 0|0, ObjectId('000000000000000000000000') ] } keyUpdates:0 writeConflicts:0 numYields:0 reslen:232 locks:{ Global: { acquireCount: { r: 2000, w: 2000 } }, Database: { acquireCount: { w: 2000 } }, Collection: { acquireCount: { w: 1000 } }, Metadata: { acquireCount: { w: 1000 } }, oplog: { acquireCount: { w: 1000 } } } protocol:op_command 175ms </CODE></PRE> <P>The above block is from a MongoDB log file, I am mostly interested in extracting the last field and then sort by the field with the largest value in "ms". I am trying to see how long queries take to complete on average as well as identify the long running queries from the logs. I would also like to list the long running query next to the query time when sorted.</P> <P>Your assistance is appreciated. Thanks.</P> Thu, 06 Oct 2016 21:39:36 GMT kchongo 2016-10-06T21:39:36Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-and-compute-fields-from-a-MongoDB-log/m-p/236125#M70131 <P>Hello, </P> <P>I am new to Splunk, can you help me figure out to extract and fields from logs that look like the below</P> <PRE><CODE>2016-10-06T21:22:15.285+0000 I COMMAND [conn337418] command PersoTestServiceDB.$cmd command: update { update: "Test_Stage", updates: 1000, ordered: false, shardVersion: [ Timestamp 0|0, ObjectId('000000000000000000000000') ] } keyUpdates:0 writeConflicts:0 numYields:0 reslen:232 locks:{ Global: { acquireCount: { r: 2000, w: 2000 } }, Database: { acquireCount: { w: 2000 } }, Collection: { acquireCount: { w: 1000 } }, Metadata: { acquireCount: { w: 1000 } }, oplog: { acquireCount: { w: 1000 } } } protocol:op_command 175ms </CODE></PRE> <P>The above block is from a MongoDB log file, I am mostly interested in extracting the last field and then sort by the field with the largest value in "ms". I am trying to see how long queries take to complete on average as well as identify the long running queries from the logs. I would also like to list the long running query next to the query time when sorted.</P> <P>Your assistance is appreciated. Thanks.</P> Thu, 06 Oct 2016 21:39:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-and-compute-fields-from-a-MongoDB-log/m-p/236125#M70131 kchongo 2016-10-06T21:39:36Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-and-compute-fields-from-a-MongoDB-log/m-p/236126#M70132 <P>If your data is already in Splunk, you could try this in your search<BR /> *<STRONG><EM>UPDATED</EM></STRONG>*</P> <PRE><CODE>base search NOT "sleeping" | rex "(?&lt;dur&gt;\d+)ms" | eventstats avg(dur) as avg_dur | sort - dur | table _time _raw dur avg_dur </CODE></PRE> Thu, 06 Oct 2016 22:42:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-and-compute-fields-from-a-MongoDB-log/m-p/236126#M70132 sundareshr 2016-10-06T22:42:13Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-and-compute-fields-from-a-MongoDB-log/m-p/236127#M70133 <P>Thanks this looks good, now one more thing; how can I strip out a log entry below that is counting sleep time; its adding to the average calculation and when sorted appears at the top of the results.</P> <PRE><CODE>2016-10-07T00:11:56.366+0000 I SHARDING [LockPinger] cluster mongodbhost1a:27019,mongodbhost1b:27019,mongodbhost1c:27022 pinged successfully at 2016-10-07T00:11:55.615+0000 by distributed lock pinger 'mongodbhost1a:27019,mongodbhost1b:27019,mongodbhost1c:27022/mongodbhost4a:27018:1469673136:466927433', sleeping for 30000ms </CODE></PRE> Fri, 07 Oct 2016 00:22:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-and-compute-fields-from-a-MongoDB-log/m-p/236127#M70133 kchongo 2016-10-07T00:22:57Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-and-compute-fields-from-a-MongoDB-log/m-p/236128#M70134 <P>Try the updated search</P> Fri, 07 Oct 2016 02:18:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-and-compute-fields-from-a-MongoDB-log/m-p/236128#M70134 sundareshr 2016-10-07T02:18:30Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-and-compute-fields-from-a-MongoDB-log/m-p/236129#M70135 <P>Thanks, this gives me what I am looking for. I can build more around this starting point. </P> <P>I noticed that the time seems to be shown on the graph on reverse, the latest times are the one closest to the x and y intersection; should this be the other way round? How can I fix this</P> Fri, 07 Oct 2016 14:44:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-and-compute-fields-from-a-MongoDB-log/m-p/236129#M70135 kchongo 2016-10-07T14:44:06Z