Splunk Search

How to convert a substring to a numeric value and evaluate the result?

aohls
Contributor

In this scenario, I have the following log "response time 34 ms". I want to extract just the number, 34, and evaluate if it is greater than 30. How could I go about doing this?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

There can be multiple ways. One is

your current search which includes 'yourfield' which has value in format "response time 34 ms"
| rex field=yourfield "response time (?<response_timems>\d+) ms" | eval result=if(response_timems>30,">30","<=30)

other options

 your current search which includes 'yourfield' which has value in format "response time 34 ms"
    | eval response_timems=replace(yourfield,"[A-z\s:]","")  | eval result=if(response_timems>30,">30","<=30)

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

There can be multiple ways. One is

your current search which includes 'yourfield' which has value in format "response time 34 ms"
| rex field=yourfield "response time (?<response_timems>\d+) ms" | eval result=if(response_timems>30,">30","<=30)

other options

 your current search which includes 'yourfield' which has value in format "response time 34 ms"
    | eval response_timems=replace(yourfield,"[A-z\s:]","")  | eval result=if(response_timems>30,">30","<=30)
0 Karma

aohls
Contributor

Thank you this is perfect. Is it then possible for me to take the time as an integer value and do a analysis from there. In short I now have all items I need that specify "response time 30 ms". I want to pull out the 30 from the string and essentially see if this value is increasing overtime. Is this possible?

As this is a response time what I want to do is see if this value is increasing over time.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Both searches will give you a field called response_timems (response time in milliseconds), which you can use to trend your response time. One way could be to create a line chart

 your current search which includes 'yourfield' which has value in format "response time 34 ms"
 | rex field=yourfield "response time (?<response_timems>\d+) ms" | timechart avg(response_timems) as "Avg Response Time"
0 Karma

aohls
Contributor

It looks to make sense but I am not getting results. The field I have is a longer string and what I am looking for is a sub-string. Would I need to format this differently to account for this? So I have "xxxxx response time 42 ms xxxx".

0 Karma

niketn
Legend

You can try rex to begin with for your field extraction on sample data like one you have provided

<Your Base Search>
| rex field=_raw "response\stime\s(?<ResponseTime>\d+)\sms"
| where ResponseTime>30

However, with you complete set of data, you should try Splunk Interactive Field Extraction to let Splunk figure out required regular expression for extracting Response Time from your events.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...