Splunk Search
Highlighted

How to edit my search to extract string value from an event and get the total count and range values?

Path Finder

Need to extract string from event and get the total count and range values .

I have event logs with a "response time (25) sec" and i would like to have the number in () extracted and total count with values in () and check how many are <25 sec and >25 .

basesearch | feildextracted"response time value from the bracket ()"= * | eval time = case(rep<=2, rep >20, ) | stats count as total by duration 
0 Karma
Highlighted

Re: How to edit my search to extract string value from an event and get the total count and range values?

SplunkTrust
SplunkTrust

Give this a try

your base search | rex "response time \((?<response_time>[\d\.]+)\)" | stats count by response_time

This should give count for each value of response_time.

0 Karma
Highlighted

Re: How to edit my search to extract string value from an event and get the total count and range values?

Legend

Following field extraction should work in your case however, you should consider
1) either providing more sample data/mock data
2) Interactive Field Extraction within Splunk to let Splunk come up with appropriate regular expression as per your data

rex field=_raw "response\stime\s\((?<response_time>\d+)\)\ssec"

For coming up with ranges you can try the following

Option 1: Splunk's rangemap command which generates range field

| rangemap field=response_time green=0-2 blue=2-20 red=20-25 default=gray
| stats count as Total by range

Option 2 If you want to do the same through case you can try the following:

| eval range=case(response_time<=2,"green",response_time>2 AND response_time<=20,"blue",response_time>20 AND response_time<=25,"red",1==1,"gray")
| stats count as Total by range

The same can also be done via nested if command but will become complicated with multiple ranges.




| eval message="Happy Splunking!!!"


View solution in original post

0 Karma
Highlighted

Re: How to edit my search to extract string value from an event and get the total count and range values?

Path Finder

Thank You Niketnilay .

0 Karma
Highlighted

Re: How to edit my search to extract string value from an event and get the total count and range values?

Esteemed Legend

Like this:

basesearch | rex "\((?<duration>[\d\.]+)\)" | stats count as total by duration | search count=25
0 Karma
Highlighted

Re: How to edit my search to extract string value from an event and get the total count and range values?

Path Finder

Thank you Woodcock .

0 Karma