Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: create table
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
462 <14>1 2019-03-26T10:45:33.423222+00:00 loggregator ae04d9d7-5ec4-4acd-a954-63c2e3733691 [APP/PROC/WEB] - - 2019-03-26 10:45:33.422+0000 org{am_sp} [log_from=ReportService] [thread=http-nio-8080-exec-8 ] INFO c.j.i.s.p.providers.PrismReportProvider [user=I298611] [swagger-d83e2a40-4fad-11e9-9d7a-6bf144a5c99d] [POST /api/v1/ts/collect/range] <-- Loaded Pri Report MAS/SRS - Time Series (EMEA-NOSPLIT)/72022/2019-03-15 (took 00:00:25.864)
I would like to put "took" values in table
index=am_sp log_from=ReportService "Loaded Pri Report"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would need a regex to extract it and then use it in table
index=am_sp log_from=ReportService "Loaded Pri Report" | rex field=_raw "took(\s+(?<time_taken>[0-9:.]+))" | table _time, time_taken
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would need a regex to extract it and then use it in table
index=am_sp log_from=ReportService "Loaded Pri Report" | rex field=_raw "took(\s+(?<time_taken>[0-9:.]+))" | table _time, time_taken
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to put that in graph
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
one way to get that in timechart is
index=am_sp log_from=ReportService "Loaded Pri Report" | rex field=_raw "took(\s+(?<time_taken>[0-9:.]+))" | timechart avg(time_taken) by host
Pls refer to the doc to change the reports/dashboards as you need.
https://docs.splunk.com/Documentation/SplunkCloud/7.2.3/SearchTutorial/Aboutsavingandsharingreports
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
