In this scenario, I have the following log "response time 34 ms". I want to extract just the number, 34, and evaluate if it is greater than 30. How could I go about doing this?
There can be multiple ways. One is
your current search which includes 'yourfield' which has value in format "response time 34 ms"
| rex field=yourfield "response time (?<response_timems>\d+) ms" | eval result=if(response_timems>30,">30","<=30)
other options
your current search which includes 'yourfield' which has value in format "response time 34 ms"
| eval response_timems=replace(yourfield,"[A-z\s:]","") | eval result=if(response_timems>30,">30","<=30)
There can be multiple ways. One is
your current search which includes 'yourfield' which has value in format "response time 34 ms"
| rex field=yourfield "response time (?<response_timems>\d+) ms" | eval result=if(response_timems>30,">30","<=30)
other options
your current search which includes 'yourfield' which has value in format "response time 34 ms"
| eval response_timems=replace(yourfield,"[A-z\s:]","") | eval result=if(response_timems>30,">30","<=30)
Thank you this is perfect. Is it then possible for me to take the time as an integer value and do a analysis from there. In short I now have all items I need that specify "response time 30 ms". I want to pull out the 30 from the string and essentially see if this value is increasing overtime. Is this possible?
As this is a response time what I want to do is see if this value is increasing over time.
Both searches will give you a field called response_timems (response time in milliseconds), which you can use to trend your response time. One way could be to create a line chart
your current search which includes 'yourfield' which has value in format "response time 34 ms"
| rex field=yourfield "response time (?<response_timems>\d+) ms" | timechart avg(response_timems) as "Avg Response Time"
It looks to make sense but I am not getting results. The field I have is a longer string and what I am looking for is a sub-string. Would I need to format this differently to account for this? So I have "xxxxx response time 42 ms xxxx".
You can try rex to begin with for your field extraction on sample data like one you have provided
<Your Base Search>
| rex field=_raw "response\stime\s(?<ResponseTime>\d+)\sms"
| where ResponseTime>30
However, with you complete set of data, you should try Splunk Interactive Field Extraction to let Splunk figure out required regular expression for extracting Response Time from your events.