Regex: I want to extract two fields from a log mes...

nandhiniG · ‎07-21-2020

HI ,

I have a log message like " total accounts for user is 11 retrieved in 67 milliseconds".

How to extract 11 as totalaccounts and 67 as seconds and visualize a chart

rnowitzki · ‎07-21-2020

Hi @nandhiniG ,

You could extract the values with this:

| makeresults
| eval logmessage="total accounts for user is 11 retrieved in 67 milliseconds"
| rex field=logmessage "total\saccounts\sfor\suser\sis\s(?<totalaccounts>\d+)\sretrieved\sin\s(?<ms>\d+)\smilliseconds"

You don't need the first 2 lines, they are just to sample the data you have already.

In the third line, you have to adjust the field=logmessage. It depends on in which field the log message appears. Probably _raw.

You don't have to put the whole sentence as a regular expression, this would just make it 100% sure it doesn't catch the values from "similiar" messages.

Now you can work with the new fields totalaccounts and ms and put them in a chart. What do you want to visualize?

Just to give you an example, this is the avg count and ms over a span of 5 minutes:

| timechart span=5m avg(totalaccounts), avg(ms)

Hope it helps.
BR

Ralph

--
Karma and/or Solution tagging appreciated.

nandhiniG · ‎07-21-2020

I want to visualize the time taken for each request with the resulting count of accounts

Regex: I want to extract two fields from a log message and visualize as a line chart

chart

field extraction

regex

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?