Solved: create table

swetasoneji · ‎03-26-2019

462 <14>1 2019-03-26T10:45:33.423222+00:00 loggregator ae04d9d7-5ec4-4acd-a954-63c2e3733691 [APP/PROC/WEB] - - 2019-03-26 10:45:33.422+0000 org{am_sp} [log_from=ReportService] [thread=http-nio-8080-exec-8 ] INFO c.j.i.s.p.providers.PrismReportProvider [user=I298611] [swagger-d83e2a40-4fad-11e9-9d7a-6bf144a5c99d] [POST /api/v1/ts/collect/range] <-- Loaded Pri Report MAS/SRS - Time Series (EMEA-NOSPLIT)/72022/2019-03-15 (took 00:00:25.864)

I would like to put "took" values in table

index=am_sp log_from=ReportService "Loaded Pri Report"

lakshman239 · ‎03-26-2019

You would need a regex to extract it and then use it in table

index=am_sp log_from=ReportService "Loaded Pri Report"   | rex field=_raw "took(\s+(?<time_taken>[0-9:.]+))" | table _time, time_taken

https://regex101.com/r/lcAZF0/1

View solution in original post

lakshman239 · ‎03-26-2019

You would need a regex to extract it and then use it in table

index=am_sp log_from=ReportService "Loaded Pri Report"   | rex field=_raw "took(\s+(?<time_taken>[0-9:.]+))" | table _time, time_taken

https://regex101.com/r/lcAZF0/1

swetasoneji · ‎03-27-2019

How to put that in graph

lakshman239 · ‎03-27-2019

one way to get that in timechart is

 index=am_sp log_from=ReportService "Loaded Pri Report"   | rex field=_raw "took(\s+(?<time_taken>[0-9:.]+))" | timechart avg(time_taken) by host

Pls refer to the doc to change the reports/dashboards as you need.

https://docs.splunk.com/Documentation/SplunkCloud/7.2.3/SearchTutorial/Aboutsavingandsharingreports

create table

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio