Splunk Search

How to format the SPL as code?

venkat0896
Path Finder

Hi,

I am working on a dashboard. i am creating a table to monitor the count, average response time and maximum response time of the Api calls.

I need some assistance with the rex field
here is my logger:

2019-08-20 10:37:02,690 INFO package name [header-values] [METRICS] Response Time for POST /service url: 1658 ms, httpResponseCode=200

here is my search query

source="/log/server.log"
/api1
OR /api2
OR /api3
"[METRICS] Response Time" 
| rex field=_raw " (?<Request>/.*):" 
| rex field=_raw "(?<Time>.*?)ms" 
| stats  count as Total,  
avg(Time) as "Average Response Time (ms)", 
max(Time) as "Maximum Response Time (ms)" by Request 

The table is generating but only the count is working. please assist with rex field to get the average response time
Expected result

Request Count Average response time Maximum response time
/api1        1               ms                       ms
/api2         1              ms                        ms

Thanks in advance !!

0 Karma
1 Solution

cathalmcginley
Engager

I find it useful to check my regexes with a tool like Regex 101 before plugging it into rex commands.

 | rex "(?<Request>\/.*):"
 | rex "(?<Time>\d+) ms"

As aohls mentioned, you need a space before the ms, but also you should be capturing more than a single character. I've specified one or more digits.
Similarly, you need to specify more than a single character for the Request path.

View solution in original post

niketn
Legend

@venkat0896 instead of having two rex on _raw you can write a single i.e. | rex "(?<api_name>\/[^\:]+)\:\s(?<Time>[^\s]+)\sms,"
Following is a run anywhere search based on your data.

| makeresults
| fields - _time
| eval _raw="2019-08-20 10:37:02,690 INFO [package name] (default task-248) [header-values] [METRICS] Response Time for POST /base/one/two: 1658 ms, httpResponseCode=200"
| rex "(?<api_name>\/[^\:]+)\:\s(?<Time>[^\s]+)\sms,"
| fields api_name Time _raw
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

cathalmcginley
Engager

I find it useful to check my regexes with a tool like Regex 101 before plugging it into rex commands.

 | rex "(?<Request>\/.*):"
 | rex "(?<Time>\d+) ms"

As aohls mentioned, you need a space before the ms, but also you should be capturing more than a single character. I've specified one or more digits.
Similarly, you need to specify more than a single character for the Request path.

richgalloway
SplunkTrust
SplunkTrust

Please edit your question to format the SPL as code. Do that by highlighting the SPL and then clicking the 101010 icon. Then please correct the rex statements.

---
If this reply helps you, Karma would be appreciated.
0 Karma

aohls
Contributor

Your event looks to have a space before ms, have you confirmed Time is getting values?
Maybe| rex field=_raw "(?.?) ms" would work.
Edit: not displaying right but (?<Time>.?) ms

venkat0896
Path Finder

@aohls
2019-08-20 10:37:02,690 INFO package name [header-values] [METRICS] Response Time for POST /service url: 1658 ms, httpResponseCode=200
1658 is the value.
i tried leaving a space before ms .. not working

0 Karma

aohls
Contributor

We have ms within our logs as well; the focus log section I used to test was "=2074 ms"
(?<Time>.?)ms This did not work for me, no results
(?<Time>.?) ms Has a space and works ok but only gets the end number, 4 in my case.
(?<Time>\d+) ms This worked the best as it is getting the full number.

venkat0896
Path Finder

Yes perfect @aohls

0 Karma

venkat0896
Path Finder

@ansusabu can you take a look on this ?

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...