Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to filter by time

ycherbi
Explorer
‎06-21-2020 09:31 AM

Hi,

 

I am using Splunk to monitor our REST API calls

search is

index=prod-* "WEBSERVICES CALL ENDED"

it gives  me results, but I want to get only results when time> 5000 ms 

or get the slowest API response time by time field?

hoe can I do it?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ycherbi
Explorer
‎06-21-2020 04:28 PM

found it

 

index=prod-* "WEBSERVICES CALL ENDED" 

|rex field=time "(?<time>\d+)"

|where time>1000

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-21-2020 11:32 AM
We need more information. Please share some same (anonymized) data.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ycherbi
Explorer
‎06-21-2020 12:45 PM

Hi,

Thank you for your reply,I will add more info

so this is my search

 index=prod-* "WEBSERVICES CALL ENDED"

It will return records that indicate about my API call end  (see image below)

As you can see we have processing time field in our logs and also time field (by Splunk) both are equal, I would to use this time field and get only API calls that processing time is longer than 5000ms ( add alerts).

Or get average API time, hope it more clear now

 

 

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎06-21-2020 02:16 PM

index=prod-* "WEBSERVICES CALL ENDED"

|rex field=time "(<time>\d+)"

|where time>5000

 

fire alert: event count > 0

0 Karma
Reply
Solved! Jump to solution

ycherbi
Explorer
‎06-21-2020 04:02 PM

Hi,

It didn't work got this error:

Error in 'rex' command: The regex '(<time>\d+)' does not extract anything. It should specify at least one named group. Format: (?<name>...).
The search job has failed due to an error. You may be able view the job in....

 

I tried also but no results

index=prod-* "WEBSERVICES CALL ENDED"

|rex field=time "processing time:<(?<time>.*)> ms"

|where time>10

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ycherbi
Explorer
‎06-21-2020 04:04 PM

Also this didnt work

 

index=prod-* "WEBSERVICES CALL ENDED"

|rex field=time "(?<time>.*)"

|where time>23

0 Karma
Reply
Solved! Jump to solution
Solution

ycherbi
Explorer
‎06-21-2020 04:28 PM

found it

 

index=prod-* "WEBSERVICES CALL ENDED" 

|rex field=time "(?<time>\d+)"

|where time>1000

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎06-22-2020 02:05 AM

good job. please accept your answer. and I'm sorry for typo.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...