I have logs in my application, that looks like:
8/7/19 1:30:35.977 AM [8/7/19 1:30:35:977 MST] 00000232 MyClass I Method Process | ProcessingTime=8ms host=myHost source=/location/SystemOut.log
There are many such logs, that have different processing time starting from 20ms to 6000ms.
I need to bring this out in the form of table like:
0-100ms 5
100-200ms 12
200-500ms 6
500-1000ms 24
1000-500ms 40
above 5000ms 2
Can someone help on how to achieve this?
Here is one way:
| makeresults
| eval raw="[8/7/19 1:30:35:977 MST] 00000232 MyClass I Method Process | ProcessingTime=8ms
host=myHost source=/location/SystemOut.log###[8/7/19 1:30:36:977 MST] 00000232 MyClass I Method Process | ProcessingTime=123ms
host=myHost source=/location/SystemOut.log###[8/7/19 1:30:37:011 MST] 00000232 MyClass I Method Process | ProcessingTime=1001ms
host=myHost source=/location/SystemOut.log###[8/7/19 1:30:39:533 MST] 00000232 MyClass I Method Process | ProcessingTime=1010ms
host=myHost source=/location/SystemOut.log"
| makemv delim="###" raw | mvexpand raw | rename raw AS _raw
| rex "ProcessingTime=(?<dur>\d+)ms"
| eval durBucket=case(dur<=100,"0-100ms",dur<=200,"101-200ms",dur<=500,"201-500ms",dur<=1000,"501-1000ms",dur<=5000,"1001-5000ms",1==1,"above 5000ms")
| stats count by durBucket
This extracts the duration into the field "dur" if you don't have access to this already. It uses case to manually bucket.
Here is one way:
| makeresults
| eval raw="[8/7/19 1:30:35:977 MST] 00000232 MyClass I Method Process | ProcessingTime=8ms
host=myHost source=/location/SystemOut.log###[8/7/19 1:30:36:977 MST] 00000232 MyClass I Method Process | ProcessingTime=123ms
host=myHost source=/location/SystemOut.log###[8/7/19 1:30:37:011 MST] 00000232 MyClass I Method Process | ProcessingTime=1001ms
host=myHost source=/location/SystemOut.log###[8/7/19 1:30:39:533 MST] 00000232 MyClass I Method Process | ProcessingTime=1010ms
host=myHost source=/location/SystemOut.log"
| makemv delim="###" raw | mvexpand raw | rename raw AS _raw
| rex "ProcessingTime=(?<dur>\d+)ms"
| eval durBucket=case(dur<=100,"0-100ms",dur<=200,"101-200ms",dur<=500,"201-500ms",dur<=1000,"501-1000ms",dur<=5000,"1001-5000ms",1==1,"above 5000ms")
| stats count by durBucket
This extracts the duration into the field "dur" if you don't have access to this already. It uses case to manually bucket.
Do I have to include all my logs in eval !!? Didn't get that part @jpolvino !
Lines 1-7 are simply creating events for illustration purposes, and line 8 creates a field for the duration.
Your real search should probably look something like:
index=something sourcetype=something_else
followed by lines 8 through 10 above. If your host and source are always going to be the same, then you can add those right after the index and sourcetype example right above.