Solved: Re: How can I change duration [5s] to something I ...

svester · ‎01-15-2019

Hi, I made a search, and want to finetune it with something like "show duration >20seconds", but duration is showed as "duration [8s]". I tried extracting field and make "duration [8s]" a new extracted field, but I don't know how to calculate with these brackets, or how to define it.
Anyone who can help me out? Thanks!

dkeck · ‎01-15-2019

Hi,

so your field value is now "duration [8s]"?

than use this regex: duration\s+\[(?<field>\d+)

This will only give you the numbers.

View solution in original post

svester · ‎01-15-2019

One more problem I'm bumping in now.. what if I also get [..ms], so milliseconds... And I'm searching for, let's say duration>20, now I get results with >20 seconds AND >20 milliseconds. 2 regexes? Any other suggestions?

dkeck · ‎01-15-2019

you can do a new field yes.

You can change the name of the field to "field_a" duration\s+\[(?<field_a>\d+).

So just give it a name where you now its milliseconds.

dkeck · ‎01-15-2019

Hi,

so your field value is now "duration [8s]"?

than use this regex: duration\s+\[(?<field>\d+)

This will only give you the numbers.

svester · ‎01-15-2019

Thanks! It worked 🙂

dkeck · ‎01-15-2019

Please accept my answer if it worked 🙂 Thank you

svester · ‎01-15-2019

Sorry, will do 🙂 Could you please check my 2nd comment? 🙂

How can I change duration [5s] to something I can calculate with?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How can I change duration [5s] to something I can calculate with?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR