sourcetype="mylog" | rex "(?i)\(ms\):(?P<duration>.+)" | eval epochtime=_time | sort epochtime | table epochtime,duration
I am unable to figure out what is happening within the rex statement above.
(Data in log file comes in this format).
I can understand that we're trying to catch "(ms):" in the rex command through "
but am not able to figure out the rest of it.
This command is extremely slow in performance - would request what changes could be done to better the performance.
"(?i)\(ms\):(?P<duration>.+)" (?i) = case insensitive \(ms\): = match (ms): literally (?P<duration>.+) = match 1 or more characters and make this available in the 'duration' field
It is extremely unlikely that the rex is the bottleneck. For something that simple, the regex engine would process tens of thousands of lines a second, and probably a lot more.
Put your search in the search bar.
Let it run, then press the Job Inspector button (the blue one with "i" on it).
You'll see what parts of the search take longest.
command.rex will be listed somewhere - its likely that its a very short bar.
The following are the timings shown - looks like command.search also is taking time. There are 26,128 matching events.
1.518 dispatch.fetch 13 - -
To clarify - query was written by someone else who left the firm 😞
1. I didnt understand what the query is doing - I'm just getting the output of time and duration (how duration is extracted and what does + symbol denote - is it adding anything/ and overall what is the segment right to rex doing. Unable to get it.
2. Whole query is slow - assumption is that rex and segment next to rex are taking too much time by splunk to evalute.
So what you're saying is you wrote a query that you don't understand what it does? Is something not working, or is it working but you don't understand why?
Also I'm not aware of any particular performance issues with
rex - do you mean that the performance of
rex itself is poor, or do you mean that the whole query with or without
rex is slow?