Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Total time taken to execute a log

Bhavika
Loves-to-Learn
‎06-27-2024 03:34 AM

I am writing a query which will give total time taken by a log/event for execution in milliseconds :

index=xyz cluster_id = [cluster_id] "logs_statistics"| rex field=_raw "Total Time taken in milliseconds: (?<totalTime>.*\d+) \n*"|table time totalTime

This executes but totalTime is null as shown below :

time                                                                    totalTime

2024-06-23T03:00:45.038422703Z 
2024-06-23T03:00:15.453872121Z 
2024-06-23T03:00:23.33625642Z

 

Expected :

time                                                                    totalTime

2024-06-23T03:00:45.038422703Z544
2024-06-23T03:00:15.453872121Z528

 

What am I missing ?

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-27-2024 03:40 AM

Please share your raw event in a code block </> to prevent the removal of important formatting information.

Having said that, is seems unlikely that the ".*" is required in your rex. Try something like this

| rex field=_raw "Total Time taken in milliseconds: (?<totalTime>\d+)"
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...