- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to extract string value from...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need to extract string from event and get the total count and range values .
I have event logs with a "response time (25) sec" and i would like to have the number in () extracted and total count with values in () and check how many are <25 sec and >25 .
basesearch | feildextracted"response time value from the bracket ()"= * | eval time = case(rep<=2, rep >20, ) | stats count as total by duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Following field extraction should work in your case however, you should consider
1) either providing more sample data/mock data
2) Interactive Field Extraction within Splunk to let Splunk come up with appropriate regular expression as per your data
rex field=_raw "response\stime\s\((?<response_time>\d+)\)\ssec"
For coming up with ranges you can try the following
Option 1: Splunk's rangemap command which generates range field
| rangemap field=response_time green=0-2 blue=2-20 red=20-25 default=gray
| stats count as Total by range
Option 2 If you want to do the same through case you can try the following:
| eval range=case(response_time<=2,"green",response_time>2 AND response_time<=20,"blue",response_time>20 AND response_time<=25,"red",1==1,"gray")
| stats count as Total by range
The same can also be done via nested if command but will become complicated with multiple ranges.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
basesearch | rex "\((?<duration>[\d\.]+)\)" | stats count as total by duration | search count=25
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Woodcock .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Following field extraction should work in your case however, you should consider
1) either providing more sample data/mock data
2) Interactive Field Extraction within Splunk to let Splunk come up with appropriate regular expression as per your data
rex field=_raw "response\stime\s\((?<response_time>\d+)\)\ssec"
For coming up with ranges you can try the following
Option 1: Splunk's rangemap command which generates range field
| rangemap field=response_time green=0-2 blue=2-20 red=20-25 default=gray
| stats count as Total by range
Option 2 If you want to do the same through case you can try the following:
| eval range=case(response_time<=2,"green",response_time>2 AND response_time<=20,"blue",response_time>20 AND response_time<=25,"red",1==1,"gray")
| stats count as Total by range
The same can also be done via nested if command but will become complicated with multiple ranges.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank You Niketnilay .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
your base search | rex "response time \((?<response_time>[\d\.]+)\)" | stats count by response_time
This should give count for each value of response_time.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
