Solved: How to edit a rex search in order to find the aver...

anthonycopus · ‎12-08-2016

Hi,

I'm currently have issues parsing the duration I've created to find the average time between 2 fields based on a set of logs.
In short, the field I'm trying to parse is in this format:

35+00:06:47.000000

And I'm using this rex:

| rex field=diff "(?<durationDays>\d+)+(?<durationHours>\d+):(?<durationMinutes>\d+):(?<durationSeconds>.*)"

However, the "durationDays" here is coming out completely wrong, and is actually an optional field since many of the logs will have less than 1 day. What's the best way to approach this?

bshuler_splunk · ‎12-08-2016

| makeresults | eval date="35+00:06:47.000000%35+00:06:47.000000%+00:06:47.000000%00:06:47.000000" | rex field=date max_match=0 "(?<date>[^%]+)" | mvexpand date | table date | rex field=date "(?<durationDays>\d+)?\+?(?<durationHours>\d{2}):(?<durationMinutes>\d{2}):(?<durationSeconds>\d{2}\.\d{6})"

View solution in original post

bshuler_splunk · ‎12-08-2016

| makeresults | eval date="35+00:06:47.000000%35+00:06:47.000000%+00:06:47.000000%00:06:47.000000" | rex field=date max_match=0 "(?<date>[^%]+)" | mvexpand date | table date | rex field=date "(?<durationDays>\d+)?\+?(?<durationHours>\d{2}):(?<durationMinutes>\d{2}):(?<durationSeconds>\d{2}\.\d{6})"

anthonycopus · ‎12-08-2016

Perfect, thanks a lot!

How to edit a rex search in order to find the average duration time between two fields?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...