topic Re: How to extract fields with a value greater than 3 seconds? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282281#M85217 <P>The threshold sp_lunky looking for is 3 sec. You may want to correct it.</P> Wed, 08 Feb 2017 17:35:09 GMT somesoni2 2017-02-08T17:35:09Z How to extract fields with a value greater than 3 seconds? https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282278#M85214 <P>First sorry for my english. I'm testing Splunk at the moment, and i have a task to extract a field from *.log files.<BR /><BR /> Raw value is :</P> <PRE><CODE>..xxxxxxxxxxxxxxx Duration: 1 s. 466 ms.... ..xxxxxxxxxxxxxxx Duration: 4 s. 066 ms... ..xxxxxxxxxxxxxxx Duration: 12 s. 300 ms... </CODE></PRE> <P>I want to to make an alert when the Duration is greater than 3 s</P> <P>for a Report I filtered with search command, but it won't show the value like: "11", "12"</P> <PRE><CODE>host=NAME | search (duration:"4" OR "5" OR "6" OR "7" OR "8" OR "9" ) </CODE></PRE> <P>Any help please!?</P> Wed, 08 Feb 2017 16:57:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282278#M85214 sp_lunky 2017-02-08T16:57:17Z Re: How to extract fields with a value greater than 3 seconds? https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282279#M85215 <P>try this, </P> <PRE><CODE>your base search | rex "Duration:\s+(?&lt;duration&gt;\d+)" | where duration&gt;3 </CODE></PRE> <P>Hope this will help you. </P> Wed, 08 Feb 2017 17:31:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282279#M85215 vasanthmss 2017-02-08T17:31:37Z Re: How to extract fields with a value greater than 3 seconds? https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282280#M85216 <P>Could you try this search?</P> <P><CODE>host=name | rex field=_raw "Duration\:\s(?&lt;duration_s&gt;\d+)\ss\.\s+(?&lt;duration_ms&gt;\d+)\sms" | eval duration=duration_s+(duration_ms/1000) | search duration_s="*"</CODE>?</P> <P>This would give you a float with the actual duration in <CODE>duration</CODE> and separate fields for the second and millisecond component to use your original filtering.</P> Wed, 08 Feb 2017 17:32:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282280#M85216 paulstout 2017-02-08T17:32:57Z Re: How to extract fields with a value greater than 3 seconds? https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282281#M85217 <P>The threshold sp_lunky looking for is 3 sec. You may want to correct it.</P> Wed, 08 Feb 2017 17:35:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282281#M85217 somesoni2 2017-02-08T17:35:09Z Re: How to extract fields with a value greater than 3 seconds? https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282282#M85218 <P>To meet the original 3 second requirement, <CODE>| where duration_s&gt;3</CODE> or <CODE>| search duration_s&gt;3</CODE> should suffice.</P> Wed, 08 Feb 2017 17:39:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282282#M85218 paulstout 2017-02-08T17:39:21Z Re: How to extract fields with a value greater than 3 seconds? https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282283#M85219 <P>updated the answer. </P> Wed, 08 Feb 2017 17:54:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282283#M85219 vasanthmss 2017-02-08T17:54:34Z Re: How to extract fields with a value greater than 3 seconds? https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282284#M85220 <P>Thank you very much! Both are good and working. But I accepted <STRONG>paulstout</STRONG> answer because it satisfy both my needs. <BR /> Thank you again!</P> Thu, 09 Feb 2017 12:00:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282284#M85220 sp_lunky 2017-02-09T12:00:42Z Re: How to extract fields with a value greater than 3 seconds? https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282285#M85221 <P>I believe you can accept more than one answer, if they both helped.</P> Thu, 09 Feb 2017 17:15:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282285#M85221 DalJeanis 2017-02-09T17:15:39Z Re: How to extract fields with a value greater than 3 seconds? https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282286#M85222 <P>Sorry, i didn't now that</P> Fri, 10 Feb 2017 14:50:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-with-a-value-greater-than-3-seconds/m-p/282286#M85222 sp_lunky 2017-02-10T14:50:54Z