Monitoring Splunk

Need Rest and Soap reponse time from HA proxy logs

ravir_jbp
Explorer

Mar 8 05:53:40 localhost haproxy[1668]: IP:port[08/Mar/2021:05:53:39.081] abc soap_services/soap-hostname-5000 0/0/0/1191/1198 200 517722 - - ---- 6/6/1/0/0 0/0 "POST /connect/StatelessSoapAcceptor/?gtxInitialProcess=FrameworkEVAServices.API.Tag.TagV1 HTTP/1.0"

================================================================================Mar 8 05:53:40 localhost haproxy[328]: IP:port [08/Mar/2021:05:53:39.070] abc rest_service/rest-hostname-5001 0/0/0/1279/1280 200 18794 - - --VN 5/5/1/0/0 0/0 "GET /services/cm/crosstags?sourcetag=kbase_test&targettagset=topic HTTP/1.1" ==========================================================================

I have these set of events (soap and rest services). These are the Haproxy (apache logs). I am trying to create response time for each rest and soap calls. I would like to extract below string from the evnts in below table format

1. Type of services (soap_services or rest_service )

2. hostname

3. status code (200)

4. responsetime ( from above evnts- 517722 and 18794 are millisecond response time). Need in seconds

Labels (1)
Tags (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @ravir_jbp,

You can use below rex command;

| rex "\[[^\]]+\]\s\w+\s(?<service>[^\/]+)\/\w+\-(?<hostname>\w+)\-\d+\s\d+(?:\/\d+){4}\s(?<status_code>\d+)\s(?<response_time>\d+)"
| table _time service hostname status_code response_time

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @ravir_jbp,

Great to hear it helped you, I added port field as well;

rex "\[[^\]]+\]\s\w+\s(?<service>[^\/]+)\/\w+\-(?<hostname>\w+)\-(?<port>\d+)\s\d+(?:\/\d+){4}\s(?<status_code>\d+)\s(?<response_time>\d+)"
| table _time service hostname port status_code response_time
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this regex

] \w+ (?<serviceType>\w+)[^-]+-(?<hostname>[^-]+)\S+\s\S+\s(?<statusCode>\d+)\s(?<responsetime>\d+)
---
If this reply helps you, Karma would be appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @ravir_jbp,

You can use below rex command;

| rex "\[[^\]]+\]\s\w+\s(?<service>[^\/]+)\/\w+\-(?<hostname>\w+)\-\d+\s\d+(?:\/\d+){4}\s(?<status_code>\d+)\s(?<response_time>\d+)"
| table _time service hostname status_code response_time

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

ravir_jbp
Explorer

Hi @scelikok, Thank you so much. This solution worked for me!! It was of great help

Tags (1)
0 Karma

ravir_jbp
Explorer

Hello @scelikok ,

The query worked. However I also need the port number along with hostname which is separated with "-" after every host name. Can you help me with that as well.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...