Splunk Search

How to edit my search to extract string value from an event and get the total count and range values?

guru865
Path Finder

Need to extract string from event and get the total count and range values .

I have event logs with a "response time (25) sec" and i would like to have the number in () extracted and total count with values in () and check how many are <25 sec and >25 .

basesearch | feildextracted"response time value from the bracket ()"= * | eval time = case(rep<=2, rep >20, ) | stats count as total by duration 
0 Karma
1 Solution

niketn
Legend

Following field extraction should work in your case however, you should consider
1) either providing more sample data/mock data
2) Interactive Field Extraction within Splunk to let Splunk come up with appropriate regular expression as per your data

rex field=_raw "response\stime\s\((?<response_time>\d+)\)\ssec"

For coming up with ranges you can try the following

Option 1: Splunk's rangemap command which generates range field

| rangemap field=response_time green=0-2 blue=2-20 red=20-25 default=gray
| stats count as Total by range

Option 2 If you want to do the same through case you can try the following:

| eval range=case(response_time<=2,"green",response_time>2 AND response_time<=20,"blue",response_time>20 AND response_time<=25,"red",1==1,"gray")
| stats count as Total by range

The same can also be done via nested if command but will become complicated with multiple ranges.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

basesearch | rex "\((?<duration>[\d\.]+)\)" | stats count as total by duration | search count=25
0 Karma

guru865
Path Finder

Thank you Woodcock .

0 Karma

niketn
Legend

Following field extraction should work in your case however, you should consider
1) either providing more sample data/mock data
2) Interactive Field Extraction within Splunk to let Splunk come up with appropriate regular expression as per your data

rex field=_raw "response\stime\s\((?<response_time>\d+)\)\ssec"

For coming up with ranges you can try the following

Option 1: Splunk's rangemap command which generates range field

| rangemap field=response_time green=0-2 blue=2-20 red=20-25 default=gray
| stats count as Total by range

Option 2 If you want to do the same through case you can try the following:

| eval range=case(response_time<=2,"green",response_time>2 AND response_time<=20,"blue",response_time>20 AND response_time<=25,"red",1==1,"gray")
| stats count as Total by range

The same can also be done via nested if command but will become complicated with multiple ranges.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

guru865
Path Finder

Thank You Niketnilay .

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your base search | rex "response time \((?<response_time>[\d\.]+)\)" | stats count by response_time

This should give count for each value of response_time.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...