Solved: Re: create table

swetasoneji · ‎03-26-2019

462 <14>1 2019-03-26T10:45:33.423222+00:00 loggregator ae04d9d7-5ec4-4acd-a954-63c2e3733691 [APP/PROC/WEB] - - 2019-03-26 10:45:33.422+0000 org{am_sp} [log_from=ReportService] [thread=http-nio-8080-exec-8 ] INFO c.j.i.s.p.providers.PrismReportProvider [user=I298611] [swagger-d83e2a40-4fad-11e9-9d7a-6bf144a5c99d] [POST /api/v1/ts/collect/range] <-- Loaded Pri Report MAS/SRS - Time Series (EMEA-NOSPLIT)/72022/2019-03-15 (took 00:00:25.864)

I would like to put "took" values in table

index=am_sp log_from=ReportService "Loaded Pri Report"

lakshman239 · ‎03-26-2019

You would need a regex to extract it and then use it in table

index=am_sp log_from=ReportService "Loaded Pri Report"   | rex field=_raw "took(\s+(?<time_taken>[0-9:.]+))" | table _time, time_taken

https://regex101.com/r/lcAZF0/1

View solution in original post

lakshman239 · ‎03-26-2019

You would need a regex to extract it and then use it in table

index=am_sp log_from=ReportService "Loaded Pri Report"   | rex field=_raw "took(\s+(?<time_taken>[0-9:.]+))" | table _time, time_taken

https://regex101.com/r/lcAZF0/1

swetasoneji · ‎03-27-2019

How to put that in graph

lakshman239 · ‎03-27-2019

one way to get that in timechart is

 index=am_sp log_from=ReportService "Loaded Pri Report"   | rex field=_raw "took(\s+(?<time_taken>[0-9:.]+))" | timechart avg(time_taken) by host

Pls refer to the doc to change the reports/dashboards as you need.

https://docs.splunk.com/Documentation/SplunkCloud/7.2.3/SearchTutorial/Aboutsavingandsharingreports

create table

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

create table

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!