Solved: Re: How to format the SPL as code?

venkat0896 · ‎08-21-2019

Hi,

I am working on a dashboard. i am creating a table to monitor the count, average response time and maximum response time of the Api calls.

I need some assistance with the rex field
here is my logger:

2019-08-20 10:37:02,690 INFO package name [header-values] [METRICS] Response Time for POST /service url: 1658 ms, httpResponseCode=200

here is my search query

source="/log/server.log"
/api1
OR /api2
OR /api3
"[METRICS] Response Time" 
| rex field=_raw " (?<Request>/.*):" 
| rex field=_raw "(?<Time>.*?)ms" 
| stats  count as Total,  
avg(Time) as "Average Response Time (ms)", 
max(Time) as "Maximum Response Time (ms)" by Request

The table is generating but only the count is working. please assist with rex field to get the average response time
Expected result

Request Count Average response time Maximum response time
/api1        1               ms                       ms
/api2         1              ms                        ms

Thanks in advance !!

cathalmcginley · ‎08-21-2019

I find it useful to check my regexes with a tool like Regex 101 before plugging it into rex commands.

 | rex "(?<Request>\/.*):"
 | rex "(?<Time>\d+) ms"

As aohls mentioned, you need a space before the ms, but also you should be capturing more than a single character. I've specified one or more digits.
Similarly, you need to specify more than a single character for the Request path.

View solution in original post

niketn · ‎08-21-2019

@venkat0896 instead of having two rex on _raw you can write a single i.e. | rex "(?<api_name>\/[^\:]+)\:\s(?<Time>[^\s]+)\sms,"
Following is a run anywhere search based on your data.

| makeresults
| fields - _time
| eval _raw="2019-08-20 10:37:02,690 INFO [package name] (default task-248) [header-values] [METRICS] Response Time for POST /base/one/two: 1658 ms, httpResponseCode=200"
| rex "(?<api_name>\/[^\:]+)\:\s(?<Time>[^\s]+)\sms,"
| fields api_name Time _raw

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

cathalmcginley · ‎08-21-2019

I find it useful to check my regexes with a tool like Regex 101 before plugging it into rex commands.

 | rex "(?<Request>\/.*):"
 | rex "(?<Time>\d+) ms"

As aohls mentioned, you need a space before the ms, but also you should be capturing more than a single character. I've specified one or more digits.
Similarly, you need to specify more than a single character for the Request path.

richgalloway · ‎08-21-2019

Please edit your question to format the SPL as code. Do that by highlighting the SPL and then clicking the 101010 icon. Then please correct the rex statements.

---
If this reply helps you, Karma would be appreciated.

aohls · ‎08-21-2019

Your event looks to have a space before ms, have you confirmed Time is getting values?
Maybe| rex field=_raw "(?.?) ms" would work.
Edit: not displaying right but (?<Time>.?) ms

venkat0896 · ‎08-21-2019

@aohls
2019-08-20 10:37:02,690 INFO package name [header-values] [METRICS] Response Time for POST /service url: 1658 ms, httpResponseCode=200
1658 is the value.
i tried leaving a space before ms .. not working

aohls · ‎08-21-2019

We have ms within our logs as well; the focus log section I used to test was "=2074 ms"
(?<Time>.?)ms This did not work for me, no results
(?<Time>.?) ms Has a space and works ok but only gets the end number, 4 in my case.
(?<Time>\d+) ms This worked the best as it is getting the full number.

venkat0896 · ‎08-21-2019

Yes perfect @aohls

venkat0896 · ‎08-21-2019

@ansusabu can you take a look on this ?

How to format the SPL as code?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services