Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Parsing us and ms times (e.g. q=15ms)

Oren
Explorer
‎07-14-2010 07:51 PM

We have a log line that looks like:

Jul 14 15:47:34 127.0.0.1 1 [000004ff000216970000489c] Serv foo.com 158578_40df389_527b/127.0.0.1:10465 2/10 ql=0 rt=49us wait=0ms sok=2ms tot=2ms sv=175ms ut=7us xfr=1093944

I'd like to be able to run a query where I find all entries where the wait is greater than 200ms for example. Splunk is parsing it as a text field right now though. Suggestions on how to get this numeric? I don't care about the units really - the fact that some numbers are milliseconds and some are microseconds doesn't matter in splunk if that helps.

Tags (2)
0 Karma
Reply

ziegfried
Influencer
‎07-14-2010 08:10 PM

If your events would contain "q=15ms"you could extract the numerical value using the rex command:

<your search> | rex field=q "(?<q_numeric>\d+)(?<q_unit>\D+)"

The field q_numeric would then contain the numeric value 15 and q_unit with the value "ms"

You could also normalize the value of q_numeric like this:

... | eval q_us=if(q_unit="ms", q_numeric*1000, q_numeric)

and filter out those events > 200ms with

... | where q_us>200000
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...