Splunk Search

composite counters - regex to convert to individual variables at search time for graphing

charleswheelus
Path Finder

I have composite counters for latency in the form "latency=1.0/3.0/5.0ms" which are min/avg/max respectively.

I would like to be able to graph these individually, something like the graph below.

I think I should be able to remove the units ("ms") and break these up at search time into components (perhaps: latency.min, latency.avg, latency.max) using a regex. I was hoping someone would be kind enough to show me how this can be done, or perhaps something similar.

graph of composite variable

1 Solution

charleswheelus
Path Finder

OK, now I got it to work. Thanks yannK. When viewing your underlying answer, I see all the backslashes needed. (I was only using the backslash before the slashes)

Just to make other readers life easier (you can cut and paste the code below):


mysearch latency | rex "latency=(?<minlatency>\d+.\d+)\/(?<avglatency>\d+.\d+)\/(?<maxlatency>\d+.\d+)ms" | table _time minlatency avglatency maxlatency

To build the graph try this:


mysearch latency | rex "latency=(?<minlatency>\d+.\d+)\/(?<avglatency>\d+.\d+)\/(?<maxlatency>\d+.\d+)ms" | table _time minlatency avglatency maxlatency | timechart min(minlatency) avg(avglatency) max(maxlatency)

View solution in original post

charleswheelus
Path Finder

OK, now I got it to work. Thanks yannK. When viewing your underlying answer, I see all the backslashes needed. (I was only using the backslash before the slashes)

Just to make other readers life easier (you can cut and paste the code below):


mysearch latency | rex "latency=(?<minlatency>\d+.\d+)\/(?<avglatency>\d+.\d+)\/(?<maxlatency>\d+.\d+)ms" | table _time minlatency avglatency maxlatency

To build the graph try this:


mysearch latency | rex "latency=(?<minlatency>\d+.\d+)\/(?<avglatency>\d+.\d+)\/(?<maxlatency>\d+.\d+)ms" | table _time minlatency avglatency maxlatency | timechart min(minlatency) avg(avglatency) max(maxlatency)

yannK
Splunk Employee
Splunk Employee

if your event has "latency=1.0/3.0/5.0ms"
then try


mysearch latency | rex "latency=(?\d+.\d+)\/(?\d+.\d+)\/(?\d+.\d+)ms" | table _time minlatency avglatency maxlatency

display as line graph

edit, beware the web messed up the display, between the counteers, use an escaping backslash before the slash.

0 Karma

yannK
Splunk Employee
Splunk Employee

look at the "edited x days ago" link to see the correct command, the forum rendering is messing up the search command.

0 Karma

charleswheelus
Path Finder

I tried this but it did not work. I substituted "\/" for "/" which produced three empty columns minlatency, avglatency, and maxlatency. Going to dig into the rex command in the manual to see if I can figure out the correct incantation. Thanks for pointing me in the right direction.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...