Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to convert a substring to a numeric value and ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this scenario, I have the following log "response time 34 ms". I want to extract just the number, 34, and evaluate if it is greater than 30. How could I go about doing this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There can be multiple ways. One is
your current search which includes 'yourfield' which has value in format "response time 34 ms"
| rex field=yourfield "response time (?<response_timems>\d+) ms" | eval result=if(response_timems>30,">30","<=30)
other options
your current search which includes 'yourfield' which has value in format "response time 34 ms"
| eval response_timems=replace(yourfield,"[A-z\s:]","") | eval result=if(response_timems>30,">30","<=30)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There can be multiple ways. One is
your current search which includes 'yourfield' which has value in format "response time 34 ms"
| rex field=yourfield "response time (?<response_timems>\d+) ms" | eval result=if(response_timems>30,">30","<=30)
other options
your current search which includes 'yourfield' which has value in format "response time 34 ms"
| eval response_timems=replace(yourfield,"[A-z\s:]","") | eval result=if(response_timems>30,">30","<=30)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you this is perfect. Is it then possible for me to take the time as an integer value and do a analysis from there. In short I now have all items I need that specify "response time 30 ms". I want to pull out the 30 from the string and essentially see if this value is increasing overtime. Is this possible?
As this is a response time what I want to do is see if this value is increasing over time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both searches will give you a field called response_timems (response time in milliseconds), which you can use to trend your response time. One way could be to create a line chart
your current search which includes 'yourfield' which has value in format "response time 34 ms"
| rex field=yourfield "response time (?<response_timems>\d+) ms" | timechart avg(response_timems) as "Avg Response Time"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks to make sense but I am not getting results. The field I have is a longer string and what I am looking for is a sub-string. Would I need to format this differently to account for this? So I have "xxxxx response time 42 ms xxxx".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can try rex to begin with for your field extraction on sample data like one you have provided
<Your Base Search>
| rex field=_raw "response\stime\s(?<ResponseTime>\d+)\sms"
| where ResponseTime>30
However, with you complete set of data, you should try Splunk Interactive Field Extraction to let Splunk figure out required regular expression for extracting Response Time from your events.
| makeresults | eval message= "Happy Splunking!!!"
Splunk Observability for AI
🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler
Observe and Secure All Apps with Splunk
