Splunk Search

how to extract the response time from below logs

cholt520
New Member

The information has already changed.............

Tags (2)
0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

If I am correct in assuming the number in bold is the response time, you an extract it via the search like this:

YOUR BASE SEARCH 
| rex field=_raw "\d{3} - (?<responsetime>\d+) \""

You can also use the field extractor in Splunk to do this pretty easily by choosing a sample event and highlighting the value. The field extractor will generate the regex for you, though in some cases you may need to edit that and tweak it. In this case, I think Splunk would probably do a good job at grabbing the correct value. With this method you will always get the field at search time without having to extract it in your searches.

If you did want to tweak the regex, or write it yourself, a great tool to use is www.regex101.com to build those regular expressions.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Fyi, the leading .* is almost always assumed with Splunk regex

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Point taken. =D

0 Karma

jkat54
SplunkTrust
SplunkTrust

via rex (in your search)

 ...| rex "\d{3}\s+-\s+(?<ms>\d+)"

via props.conf (in search app - may require restart)

 [sourcetypeName]
 EXTRACT-ms = \d{3}\s+-\s+(?<ms>\d+)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

This works at search time. You could adapt it for use at index time.

... | rex "\] \".*?\" \d+ - (?<responseTime>\d+)" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

adonio
Ultra Champion
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...