Hi Everyone
Sample logs:
{"kubernetes":{"container_name":"sign-template-services","namespace_name":"merch-ps-signs-stress-1","pod_name":"sign-template-services-14-chfbn"},"message":"::ffff:100.65.19.1 - - [05-Mar-2020 09:58:48 CST] \"GET /health HTTP/1.1\" 200 30 - **7.807** ms\n","hostname":"ocp-usc1-lle-b-app-f-g3q9.c.kohls-openshift-lle.internal","@timestamp":"2020-03-05T15:58:48.231999+00:00","cluster_name":"ocp.gcpusc1-b.lle.xpaas"}
{"kubernetes":{"container_name":"sign-template-services","namespace_name":"merch-ps-signs-ci","pod_name":"sign-template-services-39-gb69d"},"message":"::ffff:100.109.92.1 - - [05-Mar-2020 09:57:31 CST] \"GET /health HTTP/1.1\" 200 30 - **33.245** ms\n","hostname":"ocp-usc1-lle-c-app-f-7ml9.c.kohls-openshift-lle.internal","@timestamp":"2020-03-05T15:57:31.808739+00:00","cluster_name":"ocp.gcpusc1-c.lle.xpaas"}
We need to extract a field called "Response_Time" which is highlighted in these logs. The data is available in the field "message".
I have tried the below regex but it does not seem to work.
index=kohls_prod_infrastructure_openshift_raw kubernetes.container_name=sign-template-services
| rex field=MESSAGE "\d{3} d{2} - (?\d+) ms\""
Please help!
Thanks.
hi @maria_n,
Try this:
index=kohls_prod_infrastructure_openshift_raw kubernetes.container_name=sign-template-services
| rex field=message "-\s(?<Response_Time>[\d\.]+)"
Sample query:
| makeresults
| eval message = "::ffff:100.65.19.1 - - [05-Mar-2020 09:58:48 CST] \"GET /health HTTP/1.1\" 200 30 - 7.807 ms\n"
| rex field=message "-\s(?<Response_Time>[\d\.]+)"
hi @maria_n,
Try this:
index=kohls_prod_infrastructure_openshift_raw kubernetes.container_name=sign-template-services
| rex field=message "-\s(?<Response_Time>[\d\.]+)"
Sample query:
| makeresults
| eval message = "::ffff:100.65.19.1 - - [05-Mar-2020 09:58:48 CST] \"GET /health HTTP/1.1\" 200 30 - 7.807 ms\n"
| rex field=message "-\s(?<Response_Time>[\d\.]+)"
you didn't give the field a name and you didn't capture the period. Try something like:
rex field=message"\d{3}\s\d{2}\s\-\s(?<Response_Time>[\d\.]+)\sms"
./DF
Hi @maria_n,
only one question: the field is "message" or "MESSAGE"? check the correct case.
try something like this:
index=kohls_prod_infrastructure_openshift_raw kubernetes.container_name=sign-template-services
| rex field=MESSAGE "\s+(?<Response_Time>[^ ]+)\sms"
you can test the regex at https://regex101.com/r/82WdWC/1
Ciao.
Giuseppe