Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need Rest and Soap reponse time from HA proxy logs

ravir_jbp
Explorer
‎03-08-2021 04:36 AM

Mar 8 05:53:40 localhost haproxy[1668]: IP:port[08/Mar/2021:05:53:39.081] abc soap_services/soap-hostname-5000 0/0/0/1191/1198 200 517722 - - ---- 6/6/1/0/0 0/0 "POST /connect/StatelessSoapAcceptor/?gtxInitialProcess=FrameworkEVAServices.API.Tag.TagV1 HTTP/1.0"

================================================================================Mar 8 05:53:40 localhost haproxy[328]: IP:port [08/Mar/2021:05:53:39.070] abc rest_service/rest-hostname-5001 0/0/0/1279/1280 200 18794 - - --VN 5/5/1/0/0 0/0 "GET /services/cm/crosstags?sourcetag=kbase_test&targettagset=topic HTTP/1.1" ==========================================================================

I have these set of events (soap and rest services). These are the Haproxy (apache logs). I am trying to create response time for each rest and soap calls. I would like to extract below string from the evnts in below table format

1. Type of services (soap_services or rest_service )

2. hostname

3. status code (200)

4. responsetime ( from above evnts- 517722 and 18794 are millisecond response time). Need in seconds

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-08-2021 06:43 AM

Hi @ravir_jbp,

You can use below rex command;

| rex "\[[^\]]+\]\s\w+\s(?<service>[^\/]+)\/\w+\-(?<hostname>\w+)\-\d+\s\d+(?:\/\d+){4}\s(?<status_code>\d+)\s(?<response_time>\d+)"
| table _time service hostname status_code response_time

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎03-09-2021 05:14 AM

Hi @ravir_jbp,

Great to hear it helped you, I added port field as well;

rex "\[[^\]]+\]\s\w+\s(?<service>[^\/]+)\/\w+\-(?<hostname>\w+)\-(?<port>\d+)\s\d+(?:\/\d+){4}\s(?<status_code>\d+)\s(?<response_time>\d+)"
| table _time service hostname port status_code response_time
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-08-2021 06:51 AM

Try this regex

] \w+ (?<serviceType>\w+)[^-]+-(?<hostname>[^-]+)\S+\s\S+\s(?<statusCode>\d+)\s(?<responsetime>\d+)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-08-2021 06:43 AM

Hi @ravir_jbp,

You can use below rex command;

| rex "\[[^\]]+\]\s\w+\s(?<service>[^\/]+)\/\w+\-(?<hostname>\w+)\-\d+\s\d+(?:\/\d+){4}\s(?<status_code>\d+)\s(?<response_time>\d+)"
| table _time service hostname status_code response_time

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

ravir_jbp
Explorer
‎03-09-2021 02:37 AM

Hi @scelikok, Thank you so much. This solution worked for me!! It was of great help

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ravir_jbp
Explorer
‎03-09-2021 12:14 AM

Hello @scelikok ,

The query worked. However I also need the port number along with hostname which is separated with "-" after every host name. Can you help me with that as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...