I am new to SPL. I want to get all mongo queries from my mongo logs which take more than 5 ms to execute. My mongo logs are like this:
Thu Jun 13 15:47:25 [conn15] update mydb.mycollection query: { cId: 2441, tId: 545, uId: 478, status: 1, type: "0", dDt: { $lte: new Date(1371138445623) } } update: { $set: { status: 3 } } nscanned:120 nupdated:0 keyUpdates:0 locks(micros) w:10602 10ms
The last entry here (10 ms) is the time in milliseconds. How can I filter these queries?
Something like this should work for you :
...|rex field=_raw"(?<LastEntryTime>\d*)ms$" |search LastEntryTime>5
JSapienza provided a nice working regex below. I would recommend checking if Splunk will automatically extract that as well. You might already have this in field.
Something like this should work for you :
...|rex field=_raw"(?<LastEntryTime>\d*)ms$" |search LastEntryTime>5