hi,
I have a query with the below mentioned resultset
logger: com.optum.bh.benefit.plan.api.BhBenefitPlansResource
message: bhben-plan-api:bHPlanView(), env=prod packageId = 1438939 timeUsed(ms) = 19
properties: { [+]
}
severity: DEBUG
thread: http-nio-8080-exec-5
}
Show as raw text
host = hec-splunk.optum.commessage = bhben-plan-api:bHPlanView(), env=prod packageId = 1438939 timeUsed(ms) = 19source = bhwebservice.logsourcetype = cba_shared_components:scwebservice:error_log
Need to extract timeUsed(ms) field so that I can build a table for the elapsed time for the requests
This should do it.
... | rex "timeUsed\(ms) = (?<timeUsed>\d+)"
This should do it.
... | rex "timeUsed\(ms) = (?<timeUsed>\d+)"
Error in 'rex' command: Encountered the following error while compiling the regex 'timeUsed(ms) = (?\d+)': Regex: unmatched closing parenthesis
was able to build a dashboard guys, thanks for your help
rex "timeUsed(ms) = (?<timeUsed>\d+)"|table timeUsed | eval timeUsedBucket=case(timeUsed<=100,"0-100ms",timeUsed<=200,"101-200ms",timeUsed<=500,"201-500ms",timeUsed<=1000,"501-1000ms",timeUsed<=5000,"1001-5000ms",1==1,"above 5000ms")| stats count by timeUsedBucket
That error message usually means there's a missing backslash \\
.
Done, thanks
index=cba_shared_components timeUsed(ms)| rex "timeUsed(ms) = (?\d+)"|table timeUsed
Use backticks to keep the system from eating your code.
If your problem is resolved then please accept the answer to help future readers.
you fix it
Updated it a bit
rex "timeUsed(ms) = (?\d+)"
Done, thanks
index=cba_shared_components timeUsed(ms)| rex "timeUsed(ms) = (?\d+)"|table timeUsed
working on that