splunk search

foysal0124 · ‎02-14-2021

I have an event value like this 2021-02-15 18:07:33,936, where the last value after comma(936) means the response time in ms. i tried to extract that value and want to average response time but it did not work.

how i can extract the value after comma from that field. i tried something like this

avg(mvindex(split(TimeStamp,","),-1)) as AverageResponse

TimeStamp=2021-02-15 18:07:33,936

Best Regards

Foysal

foysal0124 · ‎02-15-2021

awesome, it worked

gcusello · ‎02-14-2021

Hi @foysal0124,

you can extract the values between commas using a regex and then calculate average using the stats command, something like this:

Your_search
| rex ",(?<response_time>\d+),"
| stats avg(response_time) AS average

if in your logs there's the possibility to have also other numbers between commas, you have to use a just a little more complex regex like this:

Your_search
| rex "^\d+-\d+-\d+\s+\d+:\d+:\d+,(?<response_time>\d+),"
| stats avg(response_time) AS average

that you can test at https://regex101.com/r/q4VyFQ/1

Ciao.

Giuseppe

foysal0124 · ‎02-15-2021

awesome test tool, thanks

scelikok · ‎02-14-2021

Hi @foysal0124,

You use rex command like below;

| rex field=TimeStamp "\,(?<AverageResponse>\d+)"

If this reply helps you an upvote and "Accept as Solution" is appreciated.

foysal0124 · ‎02-15-2021

awesome, it worked, thanks for ur help

splunk search

regex

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

splunk search

regex

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES