Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I need help filtering search results by milliseconds - values are in a string

rickytrumper
New Member
‎02-18-2013 03:27 PM

New splunk user here so I'm not very familiar with how some of the commands work, so I apologize in advance.

My search results display a string "SQLResult which took 6953ms" (without the quotes) - I would like to filter that list by any result that has a value of say 9000ms or higher. Is it possible to do something like this?

Basically it's to create a list or alert when users are running large or open-ended queries so that we can track those incidents.

Thanks,

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jonuwz
Influencer
‎02-18-2013 03:58 PM

yes.

You need to extract the "duration" first with a regex, then filter.

... | rex "SQLResult which took (?<duration>\d+)ms" | where duration > 9000

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jonuwz
Influencer
‎02-18-2013 03:58 PM

yes.

You need to extract the "duration" first with a regex, then filter.

... | rex "SQLResult which took (?<duration>\d+)ms" | where duration > 9000
0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎02-19-2013 04:53 AM

Its just regular expression syntax info

"duration" is a named capture group that you can reference later, it could be called "sausages" or pretty much anything else.

This : (?<duration>\d+)

just means grab as many digits as you can, and store it in the variable called "duration"

0 Karma
Reply
Solved! Jump to solution

rickytrumper
New Member
‎02-18-2013 05:17 PM

is the duration a splunk specific field or is that something you just used? if I had a number that wasn't a duration of time could I use the same approach?

0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎02-18-2013 05:04 PM

You don't have to award any points Ricky. Accepting an answer awards 20 points anyway, and upvoting awards 10.

0 Karma
Reply
Solved! Jump to solution

rickytrumper
New Member
‎02-18-2013 04:29 PM

Not sure how many points need to be awarded but that's the max it would allow, thanks again!

0 Karma
Reply
Solved! Jump to solution

rickytrumper
New Member
‎02-18-2013 04:28 PM

Thanks, that worked perfectly!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...