Need to extract string from event and get the total count and range values .
I have event logs with a "response time (25) sec" and i would like to have the number in () extracted and total count with values in () and check how many are <25 sec and >25 .
basesearch | feildextracted"response time value from the bracket ()"= * | eval time = case(rep<=2, rep >20, ) | stats count as total by duration
Following field extraction should work in your case however, you should consider
1) either providing more sample data/mock data
2) Interactive Field Extraction within Splunk to let Splunk come up with appropriate regular expression as per your data
rex field=_raw "response\stime\s\((?<response_time>\d+)\)\ssec"
For coming up with ranges you can try the following
Option 1: Splunk's rangemap command which generates range field
| rangemap field=response_time green=0-2 blue=2-20 red=20-25 default=gray
| stats count as Total by range
Option 2 If you want to do the same through case you can try the following:
| eval range=case(response_time<=2,"green",response_time>2 AND response_time<=20,"blue",response_time>20 AND response_time<=25,"red",1==1,"gray")
| stats count as Total by range
The same can also be done via nested if command but will become complicated with multiple ranges.
Like this:
basesearch | rex "\((?<duration>[\d\.]+)\)" | stats count as total by duration | search count=25
Thank you Woodcock .
Following field extraction should work in your case however, you should consider
1) either providing more sample data/mock data
2) Interactive Field Extraction within Splunk to let Splunk come up with appropriate regular expression as per your data
rex field=_raw "response\stime\s\((?<response_time>\d+)\)\ssec"
For coming up with ranges you can try the following
Option 1: Splunk's rangemap command which generates range field
| rangemap field=response_time green=0-2 blue=2-20 red=20-25 default=gray
| stats count as Total by range
Option 2 If you want to do the same through case you can try the following:
| eval range=case(response_time<=2,"green",response_time>2 AND response_time<=20,"blue",response_time>20 AND response_time<=25,"red",1==1,"gray")
| stats count as Total by range
The same can also be done via nested if command but will become complicated with multiple ranges.
Thank You Niketnilay .
Give this a try
your base search | rex "response time \((?<response_time>[\d\.]+)\)" | stats count by response_time
This should give count for each value of response_time.