Solved: Re: Response Time capture and count

kdulhan · ‎09-01-2017

I have a below SPLUNK event:
ns=app1 Service='trigger1' id=100 ActNo='101' ServiceType='REST',ResponseCode='200',ResponseTime='322ms'

I want to extract all the events where ResponseTime>1000ms.

ns=app1 Service='trigger1' id=100 | stats count(eval(ResponseTime>"'500ms'")) as "Count SLA > 500 ms" works fine.

But when i try to search for the events with ResponseTIme>1000ms using
ns=app1 Service='trigger1' id=100 | stats count(eval(ResponseTime>"'1000ms'")) as "Count SLA > 1000 ms"

whereas I have the events with ResponseTime > 1000ms

I am able to search an event with ResponseTime="'1552ms'"

i.e. ns=app1 Service='trigger1' id=100 | ResponseTime="'1552ms'"

Thank you!

somesoni2 · ‎09-01-2017

Try like this (getting response_time as number for easier mathematical comparison)

ns=app1 Service='trigger1' id=100 | rex field=ResponseTIme "'*(?<response_time>\d+)ms" | stats count(eval(response_time>1000)) as "Count SLA > 1000 ms"

View solution in original post

somesoni2 · ‎09-01-2017

Try like this (getting response_time as number for easier mathematical comparison)

ns=app1 Service='trigger1' id=100 | rex field=ResponseTIme "'*(?<response_time>\d+)ms" | stats count(eval(response_time>1000)) as "Count SLA > 1000 ms"

kdulhan · ‎09-01-2017

Thank you.

Kindly respond to my field extraction query.

Response Time capture and count

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation