Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to format the SPL as code?

venkat0896
Path Finder
‎08-21-2019 01:12 AM

Hi,

I am working on a dashboard. i am creating a table to monitor the count, average response time and maximum response time of the Api calls.

I need some assistance with the rex field
here is my logger:

2019-08-20 10:37:02,690 INFO package name [header-values] [METRICS] Response Time for POST /service url: 1658 ms, httpResponseCode=200

here is my search query 

source="/log/server.log"
/api1
OR /api2
OR /api3
"[METRICS] Response Time" 
| rex field=_raw " (?<Request>/.*):" 
| rex field=_raw "(?<Time>.*?)ms" 
| stats  count as Total,  
avg(Time) as "Average Response Time (ms)", 
max(Time) as "Maximum Response Time (ms)" by Request

The table is generating but only the count is working. please assist with rex field to get the average response time
Expected result 

Request Count Average response time Maximum response time
/api1        1               ms                       ms
/api2         1              ms                        ms

Thanks in advance !!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cathalmcginley
Engager
‎08-21-2019 09:39 AM

I find it useful to check my regexes with a tool like Regex 101 before plugging it into rex commands.

 | rex "(?<Request>\/.*):"
 | rex "(?<Time>\d+) ms"

As aohls mentioned, you need a space before the ms, but also you should be capturing more than a single character. I've specified one or more digits.
Similarly, you need to specify more than a single character for the Request path.

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎08-21-2019 09:55 AM

@venkat0896 instead of having two rex on _raw you can write a single i.e. | rex "(?<api_name>\/[^\:]+)\:\s(?<Time>[^\s]+)\sms,"
Following is a run anywhere search based on your data.

| makeresults
| fields - _time
| eval _raw="2019-08-20 10:37:02,690 INFO [package name] (default task-248) [header-values] [METRICS] Response Time for POST /base/one/two: 1658 ms, httpResponseCode=200"
| rex "(?<api_name>\/[^\:]+)\:\s(?<Time>[^\s]+)\sms,"
| fields api_name Time _raw
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution
Solution

cathalmcginley
Engager
‎08-21-2019 09:39 AM

I find it useful to check my regexes with a tool like Regex 101 before plugging it into rex commands.

 | rex "(?<Request>\/.*):"
 | rex "(?<Time>\d+) ms"

As aohls mentioned, you need a space before the ms, but also you should be capturing more than a single character. I've specified one or more digits.
Similarly, you need to specify more than a single character for the Request path.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-21-2019 06:06 AM

Please edit your question to format the SPL as code. Do that by highlighting the SPL and then clicking the 101010 icon. Then please correct the rex statements.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

aohls
Contributor
‎08-21-2019 05:50 AM

Your event looks to have a space before ms, have you confirmed Time is getting values?
Maybe| rex field=_raw "(?.?) ms" would work.
Edit: not displaying right but (?<Time>.?) ms

Reply
Solved! Jump to solution

venkat0896
Path Finder
‎08-21-2019 06:08 AM

@aohls
2019-08-20 10:37:02,690 INFO package name [header-values] [METRICS] Response Time for POST /service url: 1658 ms, httpResponseCode=200
1658 is the value.
i tried leaving a space before ms .. not working

0 Karma
Reply
Solved! Jump to solution

aohls
Contributor
‎08-21-2019 07:22 AM

We have ms within our logs as well; the focus log section I used to test was "=2074 ms"
(?<Time>.?)ms This did not work for me, no results
(?<Time>.?) ms Has a space and works ok but only gets the end number, 4 in my case.
(?<Time>\d+) ms This worked the best as it is getting the full number.

Reply
Solved! Jump to solution

venkat0896
Path Finder
‎08-21-2019 07:34 AM

Yes perfect @aohls

0 Karma
Reply
Solved! Jump to solution

venkat0896
Path Finder
‎08-21-2019 05:41 AM

@ansusabu can you take a look on this ?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...