Splunk Search

Table or graph view for range of results

Nidd
Path Finder

I have logs in my application, that looks like:

8/7/19 1:30:35.977 AM   
[8/7/19 1:30:35:977 MST] 00000232 MyClass I   Method Process | ProcessingTime=8ms
host=myHost source=/location/SystemOut.log 

There are many such logs, that have different processing time starting from 20ms to 6000ms.

I need to bring this out in the form of table like:

0-100ms                 5
100-200ms               12
200-500ms               6
500-1000ms              24
1000-500ms              40
above 5000ms            2

Can someone help on how to achieve this?

0 Karma
1 Solution

jpolvino
Builder

Here is one way:

| makeresults 
| eval raw="[8/7/19 1:30:35:977 MST] 00000232 MyClass I   Method Process | ProcessingTime=8ms
 host=myHost source=/location/SystemOut.log###[8/7/19 1:30:36:977 MST] 00000232 MyClass I   Method Process | ProcessingTime=123ms
 host=myHost source=/location/SystemOut.log###[8/7/19 1:30:37:011 MST] 00000232 MyClass I   Method Process | ProcessingTime=1001ms
 host=myHost source=/location/SystemOut.log###[8/7/19 1:30:39:533 MST] 00000232 MyClass I   Method Process | ProcessingTime=1010ms
 host=myHost source=/location/SystemOut.log"
| makemv delim="###" raw | mvexpand raw | rename raw AS _raw
| rex "ProcessingTime=(?<dur>\d+)ms"
| eval durBucket=case(dur<=100,"0-100ms",dur<=200,"101-200ms",dur<=500,"201-500ms",dur<=1000,"501-1000ms",dur<=5000,"1001-5000ms",1==1,"above 5000ms")
| stats count by durBucket

This extracts the duration into the field "dur" if you don't have access to this already. It uses case to manually bucket.

View solution in original post

jpolvino
Builder

Here is one way:

| makeresults 
| eval raw="[8/7/19 1:30:35:977 MST] 00000232 MyClass I   Method Process | ProcessingTime=8ms
 host=myHost source=/location/SystemOut.log###[8/7/19 1:30:36:977 MST] 00000232 MyClass I   Method Process | ProcessingTime=123ms
 host=myHost source=/location/SystemOut.log###[8/7/19 1:30:37:011 MST] 00000232 MyClass I   Method Process | ProcessingTime=1001ms
 host=myHost source=/location/SystemOut.log###[8/7/19 1:30:39:533 MST] 00000232 MyClass I   Method Process | ProcessingTime=1010ms
 host=myHost source=/location/SystemOut.log"
| makemv delim="###" raw | mvexpand raw | rename raw AS _raw
| rex "ProcessingTime=(?<dur>\d+)ms"
| eval durBucket=case(dur<=100,"0-100ms",dur<=200,"101-200ms",dur<=500,"201-500ms",dur<=1000,"501-1000ms",dur<=5000,"1001-5000ms",1==1,"above 5000ms")
| stats count by durBucket

This extracts the duration into the field "dur" if you don't have access to this already. It uses case to manually bucket.

Nidd
Path Finder

Do I have to include all my logs in eval !!? Didn't get that part @jpolvino !

0 Karma

jpolvino
Builder

Lines 1-7 are simply creating events for illustration purposes, and line 8 creates a field for the duration.

Your real search should probably look something like:
index=something sourcetype=something_else
followed by lines 8 through 10 above. If your host and source are always going to be the same, then you can add those right after the index and sourcetype example right above.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...