Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need Rest and Soap reponse time from HA proxy logs

ravir_jbp
Explorer
‎03-08-2021 04:36 AM

Mar 8 05:53:40 localhost haproxy[1668]: IP:port[08/Mar/2021:05:53:39.081] abc soap_services/soap-hostname-5000 0/0/0/1191/1198 200 517722 - - ---- 6/6/1/0/0 0/0 "POST /connect/StatelessSoapAcceptor/?gtxInitialProcess=FrameworkEVAServices.API.Tag.TagV1 HTTP/1.0"

================================================================================Mar 8 05:53:40 localhost haproxy[328]: IP:port [08/Mar/2021:05:53:39.070] abc rest_service/rest-hostname-5001 0/0/0/1279/1280 200 18794 - - --VN 5/5/1/0/0 0/0 "GET /services/cm/crosstags?sourcetag=kbase_test&targettagset=topic HTTP/1.1" ==========================================================================

I have these set of events (soap and rest services). These are the Haproxy (apache logs). I am trying to create response time for each rest and soap calls. I would like to extract below string from the evnts in below table format

1. Type of services (soap_services or rest_service )

2. hostname

3. status code (200)

4. responsetime ( from above evnts- 517722 and 18794 are millisecond response time). Need in seconds

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-08-2021 06:43 AM

Hi @ravir_jbp,

You can use below rex command;

| rex "\[[^\]]+\]\s\w+\s(?<service>[^\/]+)\/\w+\-(?<hostname>\w+)\-\d+\s\d+(?:\/\d+){4}\s(?<status_code>\d+)\s(?<response_time>\d+)"
| table _time service hostname status_code response_time

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎03-09-2021 05:14 AM

Hi @ravir_jbp,

Great to hear it helped you, I added port field as well;

rex "\[[^\]]+\]\s\w+\s(?<service>[^\/]+)\/\w+\-(?<hostname>\w+)\-(?<port>\d+)\s\d+(?:\/\d+){4}\s(?<status_code>\d+)\s(?<response_time>\d+)"
| table _time service hostname port status_code response_time
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-08-2021 06:51 AM

Try this regex

] \w+ (?<serviceType>\w+)[^-]+-(?<hostname>[^-]+)\S+\s\S+\s(?<statusCode>\d+)\s(?<responsetime>\d+)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-08-2021 06:43 AM

Hi @ravir_jbp,

You can use below rex command;

| rex "\[[^\]]+\]\s\w+\s(?<service>[^\/]+)\/\w+\-(?<hostname>\w+)\-\d+\s\d+(?:\/\d+){4}\s(?<status_code>\d+)\s(?<response_time>\d+)"
| table _time service hostname status_code response_time

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

ravir_jbp
Explorer
‎03-09-2021 02:37 AM

Hi @scelikok, Thank you so much. This solution worked for me!! It was of great help

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ravir_jbp
Explorer
‎03-09-2021 12:14 AM

Hello @scelikok ,

The query worked. However I also need the port number along with hostname which is separated with "-" after every host name. Can you help me with that as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...