Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I need help filtering search results by milliseconds - values are in a string

rickytrumper
New Member
‎02-18-2013 03:27 PM

New splunk user here so I'm not very familiar with how some of the commands work, so I apologize in advance.

My search results display a string "SQLResult which took 6953ms" (without the quotes) - I would like to filter that list by any result that has a value of say 9000ms or higher. Is it possible to do something like this?

Basically it's to create a list or alert when users are running large or open-ended queries so that we can track those incidents.

Thanks,

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jonuwz
Influencer
‎02-18-2013 03:58 PM

yes.

You need to extract the "duration" first with a regex, then filter.

... | rex "SQLResult which took (?<duration>\d+)ms" | where duration > 9000

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jonuwz
Influencer
‎02-18-2013 03:58 PM

yes.

You need to extract the "duration" first with a regex, then filter.

... | rex "SQLResult which took (?<duration>\d+)ms" | where duration > 9000
0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎02-19-2013 04:53 AM

Its just regular expression syntax info

"duration" is a named capture group that you can reference later, it could be called "sausages" or pretty much anything else.

This : (?<duration>\d+)

just means grab as many digits as you can, and store it in the variable called "duration"

0 Karma
Reply
Solved! Jump to solution

rickytrumper
New Member
‎02-18-2013 05:17 PM

is the duration a splunk specific field or is that something you just used? if I had a number that wasn't a duration of time could I use the same approach?

0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎02-18-2013 05:04 PM

You don't have to award any points Ricky. Accepting an answer awards 20 points anyway, and upvoting awards 10.

0 Karma
Reply
Solved! Jump to solution

rickytrumper
New Member
‎02-18-2013 04:29 PM

Not sure how many points need to be awarded but that's the max it would allow, thanks again!

0 Karma
Reply
Solved! Jump to solution

rickytrumper
New Member
‎02-18-2013 04:28 PM

Thanks, that worked perfectly!

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...