Solved: How to write a search to return events with a vari...

snabel · ‎11-23-2014

Hi,

I've this log entry:

"2014-11-22 02:42:10,545 .. - average:2.74425 , min:1.43 , max:4.007..."

i want to create a search query that returns all log entries with "average > 5"

i want to select the date of the log entry and the average value,

can this be done? how can i do this?

Thanks,
Snabel

martin_mueller · ‎11-23-2014

Sure:

index=foo sourcetype=bar average>5 | table _time average

View solution in original post

snabel · ‎11-25-2014

i think i found it:
language: (?[a-z][a-z]+-+[a-z][a-z]*)

martin_mueller · ‎11-23-2014

Sure:

index=foo sourcetype=bar average>5 | table _time average

snabel · ‎11-25-2014

Thanks it worked 🙂

martin_mueller · ‎11-23-2014

Did you already extract the average field?

If not, go to Settings -> Fields -> Field Extractions -> New, enter "average" as name, fill in your sourcetype, and use this as inline extraction:

average:(?<average>\d+\.?\d*)

Then try again. By default, Splunk extracts key=value but not key:value.

snabel · ‎11-23-2014

it didn't work. i got:
No results found.

even though i have many log entries:
"2014-11-22 02:42:10,545 .. - average:5.34425 , min:1.43 , max:4.007..."
"2014-11-22 02:42:10,545 .. - average:5.36425 , min:1.43 , max:4.007..."

How to write a search to return events with a variable field value greater than a certain number?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life