Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter by time

ycherbi
Explorer
‎06-21-2020 09:31 AM

Hi,

 

I am using Splunk to monitor our REST API calls

search is

index=prod-* "WEBSERVICES CALL ENDED"

it gives  me results, but I want to get only results when time> 5000 ms 

or get the slowest API response time by time field?

hoe can I do it?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ycherbi
Explorer
‎06-21-2020 04:28 PM

found it

 

index=prod-* "WEBSERVICES CALL ENDED" 

|rex field=time "(?<time>\d+)"

|where time>1000

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-21-2020 11:32 AM
We need more information. Please share some same (anonymized) data.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ycherbi
Explorer
‎06-21-2020 12:45 PM

Hi,

Thank you for your reply,I will add more info

so this is my search

 index=prod-* "WEBSERVICES CALL ENDED"

It will return records that indicate about my API call end  (see image below)

As you can see we have processing time field in our logs and also time field (by Splunk) both are equal, I would to use this time field and get only API calls that processing time is longer than 5000ms ( add alerts).

Or get average API time, hope it more clear now

 

 

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎06-21-2020 02:16 PM

index=prod-* "WEBSERVICES CALL ENDED"

|rex field=time "(<time>\d+)"

|where time>5000

 

fire alert: event count > 0

0 Karma
Reply
Solved! Jump to solution

ycherbi
Explorer
‎06-21-2020 04:02 PM

Hi,

It didn't work got this error:

Error in 'rex' command: The regex '(<time>\d+)' does not extract anything. It should specify at least one named group. Format: (?<name>...).
The search job has failed due to an error. You may be able view the job in....

 

I tried also but no results

index=prod-* "WEBSERVICES CALL ENDED"

|rex field=time "processing time:<(?<time>.*)> ms"

|where time>10

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ycherbi
Explorer
‎06-21-2020 04:04 PM

Also this didnt work

 

index=prod-* "WEBSERVICES CALL ENDED"

|rex field=time "(?<time>.*)"

|where time>23

0 Karma
Reply
Solved! Jump to solution
Solution

ycherbi
Explorer
‎06-21-2020 04:28 PM

found it

 

index=prod-* "WEBSERVICES CALL ENDED" 

|rex field=time "(?<time>\d+)"

|where time>1000

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎06-22-2020 02:05 AM

good job. please accept your answer. and I'm sorry for typo.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...