Solved: Re: Response Time capture and count

kdulhan · ‎09-01-2017

I have a below SPLUNK event:
ns=app1 Service='trigger1' id=100 ActNo='101' ServiceType='REST',ResponseCode='200',ResponseTime='322ms'

I want to extract all the events where ResponseTime>1000ms.

ns=app1 Service='trigger1' id=100 | stats count(eval(ResponseTime>"'500ms'")) as "Count SLA > 500 ms" works fine.

But when i try to search for the events with ResponseTIme>1000ms using
ns=app1 Service='trigger1' id=100 | stats count(eval(ResponseTime>"'1000ms'")) as "Count SLA > 1000 ms"

whereas I have the events with ResponseTime > 1000ms

I am able to search an event with ResponseTime="'1552ms'"

i.e. ns=app1 Service='trigger1' id=100 | ResponseTime="'1552ms'"

Thank you!

somesoni2 · ‎09-01-2017

Try like this (getting response_time as number for easier mathematical comparison)

ns=app1 Service='trigger1' id=100 | rex field=ResponseTIme "'*(?<response_time>\d+)ms" | stats count(eval(response_time>1000)) as "Count SLA > 1000 ms"

View solution in original post

somesoni2 · ‎09-01-2017

Try like this (getting response_time as number for easier mathematical comparison)

ns=app1 Service='trigger1' id=100 | rex field=ResponseTIme "'*(?<response_time>\d+)ms" | stats count(eval(response_time>1000)) as "Count SLA > 1000 ms"

kdulhan · ‎09-01-2017

Thank you.

Kindly respond to my field extraction query.

Response Time capture and count

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!