462 <14>1 2019-03-26T10:45:33.423222+00:00 loggregator ae04d9d7-5ec4-4acd-a954-63c2e3733691 [APP/PROC/WEB] - - 2019-03-26 10:45:33.422+0000 org{am_sp} [log_from=ReportService] [thread=http-nio-8080-exec-8 ] INFO c.j.i.s.p.providers.PrismReportProvider [user=I298611] [swagger-d83e2a40-4fad-11e9-9d7a-6bf144a5c99d] [POST /api/v1/ts/collect/range] <-- Loaded Pri Report MAS/SRS - Time Series (EMEA-NOSPLIT)/72022/2019-03-15 (took 00:00:25.864)
I would like to put "took" values in table
index=am_sp log_from=ReportService "Loaded Pri Report"
You would need a regex to extract it and then use it in table
index=am_sp log_from=ReportService "Loaded Pri Report" | rex field=_raw "took(\s+(?<time_taken>[0-9:.]+))" | table _time, time_taken
You would need a regex to extract it and then use it in table
index=am_sp log_from=ReportService "Loaded Pri Report" | rex field=_raw "took(\s+(?<time_taken>[0-9:.]+))" | table _time, time_taken
How to put that in graph
one way to get that in timechart is
index=am_sp log_from=ReportService "Loaded Pri Report" | rex field=_raw "took(\s+(?<time_taken>[0-9:.]+))" | timechart avg(time_taken) by host
Pls refer to the doc to change the reports/dashboards as you need.
https://docs.splunk.com/Documentation/SplunkCloud/7.2.3/SearchTutorial/Aboutsavingandsharingreports