Splunk Search

How to format the SPL as code?

Path Finder

Hi,

I am working on a dashboard. i am creating a table to monitor the count, average response time and maximum response time of the Api calls.

I need some assistance with the rex field
here is my logger:

2019-08-20 10:37:02,690 INFO package name [header-values] [METRICS] Response Time for POST /service url: 1658 ms, httpResponseCode=200

here is my search query

source="/log/server.log"
/api1
OR /api2
OR /api3
"[METRICS] Response Time" 
| rex field=_raw " (?<Request>/.*):" 
| rex field=_raw "(?<Time>.*?)ms" 
| stats  count as Total,  
avg(Time) as "Average Response Time (ms)", 
max(Time) as "Maximum Response Time (ms)" by Request 

The table is generating but only the count is working. please assist with rex field to get the average response time
Expected result

Request Count Average response time Maximum response time
/api1        1               ms                       ms
/api2         1              ms                        ms

Thanks in advance !!

0 Karma
1 Solution

I find it useful to check my regexes with a tool like Regex 101 before plugging it into rex commands.

 | rex "(?<Request>\/.*):"
 | rex "(?<Time>\d+) ms"

As aohls mentioned, you need a space before the ms, but also you should be capturing more than a single character. I've specified one or more digits.
Similarly, you need to specify more than a single character for the Request path.

View solution in original post

SplunkTrust
SplunkTrust

@venkat0896 instead of having two rex on raw you can write a single i.e. ` | rex "(?<apiname>\/[^:]+):\s(?

| makeresults
| fields - _time
| eval _raw="2019-08-20 10:37:02,690 INFO [package name] (default task-248) [header-values] [METRICS] Response Time for POST /base/one/two: 1658 ms, httpResponseCode=200"
| rex "(?<api_name>\/[^\:]+)\:\s(?<Time>[^\s]+)\sms,"
| fields api_name Time _raw
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

I find it useful to check my regexes with a tool like Regex 101 before plugging it into rex commands.

 | rex "(?<Request>\/.*):"
 | rex "(?<Time>\d+) ms"

As aohls mentioned, you need a space before the ms, but also you should be capturing more than a single character. I've specified one or more digits.
Similarly, you need to specify more than a single character for the Request path.

View solution in original post

SplunkTrust
SplunkTrust

Please edit your question to format the SPL as code. Do that by highlighting the SPL and then clicking the 101010 icon. Then please correct the rex statements.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Communicator

Your event looks to have a space before ms, have you confirmed Time is getting values?
Maybe| rex field=_raw "(?.?) ms" would work.
Edit: not displaying right but (?<Time>.?) ms

Path Finder

@aohls
2019-08-20 10:37:02,690 INFO package name [header-values] [METRICS] Response Time for POST /service url: 1658 ms, httpResponseCode=200
1658 is the value.
i tried leaving a space before ms .. not working

0 Karma

Communicator

We have ms within our logs as well; the focus log section I used to test was "=2074 ms"
(?<Time>.?)ms This did not work for me, no results
(?<Time>.?) ms Has a space and works ok but only gets the end number, 4 in my case.
(?<Time>\d+) ms This worked the best as it is getting the full number.

Path Finder

Yes perfect @aohls

0 Karma

Path Finder

@ansusabu can you take a look on this ?

0 Karma