Solved: Re: Regex Help for special characters

chanukhya · ‎11-29-2016

Hi,

My log looks like this. I am trying to get the average response time by service.

ServiceInvoker (service_A) : executeFlow : Time Take is = 3378
ServiceInvoker (service_B) : executeFlow : Time Take is = 378
ServiceInvoker (service_C) : executeFlow : Time Take is = 338

Here is what i have:

 index=app  |rex '\ServiceInvoker\s+"((?<service>\S+))"\s+:\s+executeFlow\s+:\s+Time\s+take\s+is\s+=\s+(?<response_time>\d+)'   | stats  sparkline(avg(response_time),1m) as processTime_trend, avg(response_time),count BY service

The brackets that are surrounding the service name is causing an issue for retrieving the results. Any help or ideas would be appreciated.
Thanks in advance

gokadroid · ‎11-29-2016

Try this:

index=app 
|rex field=_raw "(.*|^)ServiceInvoker\s*\((?<service_name>[^\)]+)\)\s*.*Time\s*Take\s*is\s*\=\s*(?<respTime>[\d]+)"
| stats  sparkline(avg(respTime),1m) as processTime_trend, avg(respTime),count BY service_name

See here the regex in action

View solution in original post

lakromani · ‎11-30-2016

Do you need all the line in the regex? If not, you can do like this:

index=app  | rex "Time Take is =\s(?<respnse_time>\d+)"  | stats  sparkline(avg(response_time),1m) as processTime_trend, avg(response_time),count BY service

gokadroid · ‎11-29-2016

Try this:

index=app 
|rex field=_raw "(.*|^)ServiceInvoker\s*\((?<service_name>[^\)]+)\)\s*.*Time\s*Take\s*is\s*\=\s*(?<respTime>[\d]+)"
| stats  sparkline(avg(respTime),1m) as processTime_trend, avg(respTime),count BY service_name

See here the regex in action

aljohnson_splun · ‎11-29-2016

Hi @Chanukhya,

Just escape the ( with a backslash.

https://regex101.com/r/BTBkvw/1

ServiceInvoker\s+\((?<service_name>\w+)\)\s+:\s+(?<service_flow>\w+)\s+:[^=]+=\s(?<response_time>\d+)

chanukhya · ‎11-29-2016

Sorry, It didn't work. Updated my question.

sundareshr · ‎11-29-2016

Try this

*UPDATED

index=app  |rex "[^\(]+\((?<servicename>[^\)]+)\)[^=]+=[\s\t]+(?<response_time>\d+)"  | stats  sparkline(avg(response_time),1m) as processTime_trend, avg(response_time),count BY service

*OR*

index=app  |rex "[^\(]+\((?<servicename>[^\)]+)" | rex "=[\s\t]+(?<response_time>\d+)"  | stats  sparkline(avg(response_time),1m) as processTime_trend, avg(response_time),count BY service

chanukhya · ‎11-30-2016

Thanks for your help.

gcusello · ‎11-29-2016

Remember to put backslash before =
Bye.
Giuseppe

chanukhya · ‎11-29-2016

Sorry, It didn't worked.

sundareshr · ‎11-29-2016

Try the updated query

chanukhya · ‎11-29-2016

It didn't worked as well, The service names are different and some service names has an underscore in the name and some dont. I am trying to get the average response times and count for each service, which is in between the brackets.

sundareshr · ‎11-29-2016

Do you see any results when you try this

index=app  | rex "[^\(]+\((?<servicename>[^\)]+)\)[^=]+=[\s\t]+(?<response_time>\d+)"  | table servicename response_time

Regex Help for special characters

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation