Splunk Search

how to extract the response time from below logs

cholt520
New Member

The information has already changed.............

Tags (2)
0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

If I am correct in assuming the number in bold is the response time, you an extract it via the search like this:

YOUR BASE SEARCH 
| rex field=_raw "\d{3} - (?<responsetime>\d+) \""

You can also use the field extractor in Splunk to do this pretty easily by choosing a sample event and highlighting the value. The field extractor will generate the regex for you, though in some cases you may need to edit that and tweak it. In this case, I think Splunk would probably do a good job at grabbing the correct value. With this method you will always get the field at search time without having to extract it in your searches.

If you did want to tweak the regex, or write it yourself, a great tool to use is www.regex101.com to build those regular expressions.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Fyi, the leading .* is almost always assumed with Splunk regex

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Point taken. =D

0 Karma

jkat54
SplunkTrust
SplunkTrust

via rex (in your search)

 ...| rex "\d{3}\s+-\s+(?<ms>\d+)"

via props.conf (in search app - may require restart)

 [sourcetypeName]
 EXTRACT-ms = \d{3}\s+-\s+(?<ms>\d+)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

This works at search time. You could adapt it for use at index time.

... | rex "\] \".*?\" \d+ - (?<responseTime>\d+)" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

adonio
Ultra Champion
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...