Splunk Search

How to edit my search to extract string value from an event and get the total count and range values?

guru865
Path Finder

Need to extract string from event and get the total count and range values .

I have event logs with a "response time (25) sec" and i would like to have the number in () extracted and total count with values in () and check how many are <25 sec and >25 .

basesearch | feildextracted"response time value from the bracket ()"= * | eval time = case(rep<=2, rep >20, ) | stats count as total by duration 
0 Karma
1 Solution

niketn
Legend

Following field extraction should work in your case however, you should consider
1) either providing more sample data/mock data
2) Interactive Field Extraction within Splunk to let Splunk come up with appropriate regular expression as per your data

rex field=_raw "response\stime\s\((?<response_time>\d+)\)\ssec"

For coming up with ranges you can try the following

Option 1: Splunk's rangemap command which generates range field

| rangemap field=response_time green=0-2 blue=2-20 red=20-25 default=gray
| stats count as Total by range

Option 2 If you want to do the same through case you can try the following:

| eval range=case(response_time<=2,"green",response_time>2 AND response_time<=20,"blue",response_time>20 AND response_time<=25,"red",1==1,"gray")
| stats count as Total by range

The same can also be done via nested if command but will become complicated with multiple ranges.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

basesearch | rex "\((?<duration>[\d\.]+)\)" | stats count as total by duration | search count=25
0 Karma

guru865
Path Finder

Thank you Woodcock .

0 Karma

niketn
Legend

Following field extraction should work in your case however, you should consider
1) either providing more sample data/mock data
2) Interactive Field Extraction within Splunk to let Splunk come up with appropriate regular expression as per your data

rex field=_raw "response\stime\s\((?<response_time>\d+)\)\ssec"

For coming up with ranges you can try the following

Option 1: Splunk's rangemap command which generates range field

| rangemap field=response_time green=0-2 blue=2-20 red=20-25 default=gray
| stats count as Total by range

Option 2 If you want to do the same through case you can try the following:

| eval range=case(response_time<=2,"green",response_time>2 AND response_time<=20,"blue",response_time>20 AND response_time<=25,"red",1==1,"gray")
| stats count as Total by range

The same can also be done via nested if command but will become complicated with multiple ranges.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

guru865
Path Finder

Thank You Niketnilay .

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your base search | rex "response time \((?<response_time>[\d\.]+)\)" | stats count by response_time

This should give count for each value of response_time.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...