All Apps and Add-ons

What field is being matched on?

DFresh4130
Path Finder

I'm running the below splunk search and am getting some confusing results.

sourcetype=access_combined POST | rex field=_raw "(?P<response_time>\d([0-9]{5,5}))" | stats count, min(response_time),max(response_time),avg(response_time),median(response_time),stdev(response_time) by host

Below are some of the returned results:

192.168.254.2|-|-|[06/Jun/2014:12:13:03 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|2802350
192.168.254.2|-|-|[06/Jun/2014:12:13:03 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|2473207
192.168.254.2|-|-|[06/Jun/2014:12:13:02 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|3438605
192.168.254.2|-|-|[06/Jun/2014:12:12:46 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|5334750
192.168.254.2|-|-|[06/Jun/2014:12:12:44 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|13049640

Based on the rex I should only be getting results where the field is a 5 digit only character field. Looking at the results I'm not seeing any 5 character digit only fields. Last field is the apache response time in microseconds so that's what I'm going for. Only thing I can think of is it's somehow matching on the date field, but there are special characters in between so I'm not sure how that's possible.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I believe you are matching the right field, but not the way you expected. Try this regex string:

(?P<response_time>\|\d([0-9]{5,5}$))

It should find events with only 5 digits at the end following a pipe.

---
If this reply helps you, an upvote would be appreciated.
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.