Splunk Search

composite counters - regex to convert to individual variables at search time for graphing

charleswheelus
Path Finder

I have composite counters for latency in the form "latency=1.0/3.0/5.0ms" which are min/avg/max respectively.

I would like to be able to graph these individually, something like the graph below.

I think I should be able to remove the units ("ms") and break these up at search time into components (perhaps: latency.min, latency.avg, latency.max) using a regex. I was hoping someone would be kind enough to show me how this can be done, or perhaps something similar.

graph of composite variable

1 Solution

charleswheelus
Path Finder

OK, now I got it to work. Thanks yannK. When viewing your underlying answer, I see all the backslashes needed. (I was only using the backslash before the slashes)

Just to make other readers life easier (you can cut and paste the code below):


mysearch latency | rex "latency=(?<minlatency>\d+.\d+)\/(?<avglatency>\d+.\d+)\/(?<maxlatency>\d+.\d+)ms" | table _time minlatency avglatency maxlatency

To build the graph try this:


mysearch latency | rex "latency=(?<minlatency>\d+.\d+)\/(?<avglatency>\d+.\d+)\/(?<maxlatency>\d+.\d+)ms" | table _time minlatency avglatency maxlatency | timechart min(minlatency) avg(avglatency) max(maxlatency)

View solution in original post

charleswheelus
Path Finder

OK, now I got it to work. Thanks yannK. When viewing your underlying answer, I see all the backslashes needed. (I was only using the backslash before the slashes)

Just to make other readers life easier (you can cut and paste the code below):


mysearch latency | rex "latency=(?<minlatency>\d+.\d+)\/(?<avglatency>\d+.\d+)\/(?<maxlatency>\d+.\d+)ms" | table _time minlatency avglatency maxlatency

To build the graph try this:


mysearch latency | rex "latency=(?<minlatency>\d+.\d+)\/(?<avglatency>\d+.\d+)\/(?<maxlatency>\d+.\d+)ms" | table _time minlatency avglatency maxlatency | timechart min(minlatency) avg(avglatency) max(maxlatency)

View solution in original post

yannK
Splunk Employee
Splunk Employee

if your event has "latency=1.0/3.0/5.0ms"
then try


mysearch latency | rex "latency=(?\d+.\d+)\/(?\d+.\d+)\/(?\d+.\d+)ms" | table _time minlatency avglatency maxlatency

display as line graph

edit, beware the web messed up the display, between the counteers, use an escaping backslash before the slash.

0 Karma

yannK
Splunk Employee
Splunk Employee

look at the "edited x days ago" link to see the correct command, the forum rendering is messing up the search command.

0 Karma

charleswheelus
Path Finder

I tried this but it did not work. I substituted "\/" for "/" which produced three empty columns minlatency, avglatency, and maxlatency. Going to dig into the rex command in the manual to see if I can figure out the correct incantation. Thanks for pointing me in the right direction.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!