@ashvini_mishra Yes, everything is possible with Splunk 😀 You can paste this query into a search window and it will give you the results you want. The important part is the rex and stats statement. Note that the query contains 3 rex statements and you only need ONE of these, but I have shown you different options, depending if you want to also split by the status, in case you get errors in the operation. First rex = will extract status code as well as status message Second rex = will extract status code Third rex = just extracts operation | makeresults
| eval _raw="log
http://host/manager/resource_identifier/ids/getOrCreate/bulk?streaming=true&dscid=LuSxrA-1c42bb5b-f862-4861-892f-69320e1a59e7:200 OK:22
http://host/manager/resource_identifier/ids/getOrCreate/bulk?dscid=LuSxrA-1c42bb5b-f862-4861-892f-69320e1a59e7:200 Created:78
http://host/manager/resource_identifier/storage/import:200 OK:100
http://host/manager/resource_identifier/storage/import:200 OK:20"
| multikv forceheader=1
| mvexpand log
| table log
| rex field=log "(?<url>https?://([^/]*/){4})(?<operation>[^/]*)[^:]*:(?<status>\d+)\s?(?<statusMessage>[^:]*):(?<duration>\d+)"
| rex field=log "(?<url>https?://([^/]*/){4})(?<operation>[^/]*)[^:]*:(?<status>\d+)[^:]*:(?<duration>\d+)"
| rex field=log "(?<url>https?://([^/]*/){4})(?<operation>[^/]*)([^:]*:){2}(?<duration>\d+)"
| stats avg(duration) AvgDuration by operation
| eval AvgDuration=round(AvgDuration) Note that the regex is working on this principle protocol can be http OR https there is a host and 3 elements to the URL path and these are delimited by / character it is based on a field called log the 'operation' field is assumed to be surrounded with / character the last line will round the average to 0 decimal places Hope this helps
... View more