Archive

how to extract the response time from below logs

New Member

The information has already changed.............

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

If I am correct in assuming the number in bold is the response time, you an extract it via the search like this:

YOUR BASE SEARCH 
| rex field=_raw "\d{3} - (?<responsetime>\d+) \""

You can also use the field extractor in Splunk to do this pretty easily by choosing a sample event and highlighting the value. The field extractor will generate the regex for you, though in some cases you may need to edit that and tweak it. In this case, I think Splunk would probably do a good job at grabbing the correct value. With this method you will always get the field at search time without having to extract it in your searches.

If you did want to tweak the regex, or write it yourself, a great tool to use is www.regex101.com to build those regular expressions.

0 Karma

SplunkTrust
SplunkTrust

Fyi, the leading .* is almost always assumed with Splunk regex

0 Karma

Splunk Employee
Splunk Employee

Point taken. =D

0 Karma

SplunkTrust
SplunkTrust

via rex (in your search)

 ...| rex "\d{3}\s+-\s+(?<ms>\d+)"

via props.conf (in search app - may require restart)

 [sourcetypeName]
 EXTRACT-ms = \d{3}\s+-\s+(?<ms>\d+)
0 Karma

SplunkTrust
SplunkTrust

This works at search time. You could adapt it for use at index time.

... | rex "\] \".*?\" \d+ - (?<responseTime>\d+)" | ...
---
If this reply helps you, an upvote would be appreciated.
0 Karma

SplunkTrust
SplunkTrust
0 Karma