Solved: Regex Help for special characters

chanukhya · ‎11-29-2016

Hi,

My log looks like this. I am trying to get the average response time by service.

ServiceInvoker (service_A) : executeFlow : Time Take is = 3378
ServiceInvoker (service_B) : executeFlow : Time Take is = 378
ServiceInvoker (service_C) : executeFlow : Time Take is = 338

Here is what i have:

 index=app  |rex '\ServiceInvoker\s+"((?<service>\S+))"\s+:\s+executeFlow\s+:\s+Time\s+take\s+is\s+=\s+(?<response_time>\d+)'   | stats  sparkline(avg(response_time),1m) as processTime_trend, avg(response_time),count BY service

The brackets that are surrounding the service name is causing an issue for retrieving the results. Any help or ideas would be appreciated.
Thanks in advance

gokadroid · ‎11-29-2016

Try this:

index=app 
|rex field=_raw "(.*|^)ServiceInvoker\s*\((?<service_name>[^\)]+)\)\s*.*Time\s*Take\s*is\s*\=\s*(?<respTime>[\d]+)"
| stats  sparkline(avg(respTime),1m) as processTime_trend, avg(respTime),count BY service_name

See here the regex in action

View solution in original post

lakromani · ‎11-30-2016

Do you need all the line in the regex? If not, you can do like this:

index=app  | rex "Time Take is =\s(?<respnse_time>\d+)"  | stats  sparkline(avg(response_time),1m) as processTime_trend, avg(response_time),count BY service

gokadroid · ‎11-29-2016

Try this:

index=app 
|rex field=_raw "(.*|^)ServiceInvoker\s*\((?<service_name>[^\)]+)\)\s*.*Time\s*Take\s*is\s*\=\s*(?<respTime>[\d]+)"
| stats  sparkline(avg(respTime),1m) as processTime_trend, avg(respTime),count BY service_name

See here the regex in action

aljohnson_splun · ‎11-29-2016

Hi @Chanukhya,

Just escape the ( with a backslash.

https://regex101.com/r/BTBkvw/1

ServiceInvoker\s+\((?<service_name>\w+)\)\s+:\s+(?<service_flow>\w+)\s+:[^=]+=\s(?<response_time>\d+)

chanukhya · ‎11-29-2016

Sorry, It didn't work. Updated my question.

sundareshr · ‎11-29-2016

Try this

*UPDATED

index=app  |rex "[^\(]+\((?<servicename>[^\)]+)\)[^=]+=[\s\t]+(?<response_time>\d+)"  | stats  sparkline(avg(response_time),1m) as processTime_trend, avg(response_time),count BY service

*OR*

index=app  |rex "[^\(]+\((?<servicename>[^\)]+)" | rex "=[\s\t]+(?<response_time>\d+)"  | stats  sparkline(avg(response_time),1m) as processTime_trend, avg(response_time),count BY service

chanukhya · ‎11-30-2016

Thanks for your help.

gcusello · ‎11-29-2016

Remember to put backslash before =
Bye.
Giuseppe

chanukhya · ‎11-29-2016

Sorry, It didn't worked.

sundareshr · ‎11-29-2016

Try the updated query

chanukhya · ‎11-29-2016

It didn't worked as well, The service names are different and some service names has an underscore in the name and some dont. I am trying to get the average response times and count for each service, which is in between the brackets.

sundareshr · ‎11-29-2016

Do you see any results when you try this

index=app  | rex "[^\(]+\((?<servicename>[^\)]+)\)[^=]+=[\s\t]+(?<response_time>\d+)"  | table servicename response_time

Regex Help for special characters

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?

Regex Help for special characters

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)