- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have composite counters for latency in the form "latency=1.0/3.0/5.0ms" which are min/avg/max respectively.
I would like to be able to graph these individually, something like the graph below.
I think I should be able to remove the units ("ms") and break these up at search time into components (perhaps: latency.min, latency.avg, latency.max) using a regex. I was hoping someone would be kind enough to show me how this can be done, or perhaps something similar.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, now I got it to work. Thanks yannK. When viewing your underlying answer, I see all the backslashes needed. (I was only using the backslash before the slashes)
Just to make other readers life easier (you can cut and paste the code below):
mysearch latency | rex "latency=(?<minlatency>\d+.\d+)\/(?<avglatency>\d+.\d+)\/(?<maxlatency>\d+.\d+)ms" | table _time minlatency avglatency maxlatency
To build the graph try this:
mysearch latency | rex "latency=(?<minlatency>\d+.\d+)\/(?<avglatency>\d+.\d+)\/(?<maxlatency>\d+.\d+)ms" | table _time minlatency avglatency maxlatency | timechart min(minlatency) avg(avglatency) max(maxlatency)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, now I got it to work. Thanks yannK. When viewing your underlying answer, I see all the backslashes needed. (I was only using the backslash before the slashes)
Just to make other readers life easier (you can cut and paste the code below):
mysearch latency | rex "latency=(?<minlatency>\d+.\d+)\/(?<avglatency>\d+.\d+)\/(?<maxlatency>\d+.\d+)ms" | table _time minlatency avglatency maxlatency
To build the graph try this:
mysearch latency | rex "latency=(?<minlatency>\d+.\d+)\/(?<avglatency>\d+.\d+)\/(?<maxlatency>\d+.\d+)ms" | table _time minlatency avglatency maxlatency | timechart min(minlatency) avg(avglatency) max(maxlatency)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
if your event has "latency=1.0/3.0/5.0ms"
then try
mysearch latency | rex "latency=(?\d+.\d+)\/(?\d+.\d+)\/(?\d+.\d+)ms" | table _time minlatency avglatency maxlatency
display as line graph
edit, beware the web messed up the display, between the counteers, use an escaping backslash before the slash.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
look at the "edited x days ago" link to see the correct command, the forum rendering is messing up the search command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this but it did not work. I substituted "\/" for "/" which produced three empty columns minlatency, avglatency, and maxlatency. Going to dig into the rex command in the manual to see if I can figure out the correct incantation. Thanks for pointing me in the right direction.
data:image/s3,"s3://crabby-images/a266d/a266d0c80c12793a952b209c17cc3de41b17fc89" alt=""