We have following entries in our app log:
2013-12-06 09:09:23,918 Level=INFO Thread=http-apr-45082-exec-2 Logger=c.e.l.l.TestTracking MessageUUID=f2823947-ebc7-449d-b774-816354fc29ea MessageName=RandomGet MessageVersion=1.0 UserUUID=f2823947-ebc7-449d-b774-816354fc29ea SessionUUID=f2823947-ebc7-449d-b774-816354fc29ea IPAddress=127.0.0.1 Message="RequestSerialization=11887,CacheGetTotalTime=179544,ResultsDeserialization=61,TotalTime=800392,"
I want to timechart TP99 and need help with the splunk query. Here's my attempt which is not yielding any result.
host=Testserv* source=/var/log/tomcat/myapp/app.log Level=INFO | rex max_match=100 field=Message "(?P<metricdata>[^,]+)[,]" | table metricdata | mvexpand metricdata | rex field=metricdata "(?<metric>\w+)=(?<latencyus>\d+)" | where latencyus>0 | eval latency=latencyus/1000 | search metric="TotalTime"| timechart span=15m exactperc99(latency), exactperc99.9(latency)
The problem you have is that you're missing _time when you get to run the timechart. At the start, in your table command, you need to add _time there. Your search string should then become:
host=Testserv* source=/var/log/tomcat/myapp/app.log Level=INFO | rex max_match=100 field=Message "(?P<metricdata>[^,]+)[,]" | table _time metricdata | mvexpand metricdata | rex field=metricdata "(?<metric>\w+)=(?<latencyus>\d+)" | where latencyus>0 | eval latency=latencyus/1000 | search metric="TotalTime"| timechart span=15m exactperc99(latency), exactperc99.9(latency)
The problem you have is that you're missing _time when you get to run the timechart. At the start, in your table command, you need to add _time there. Your search string should then become:
host=Testserv* source=/var/log/tomcat/myapp/app.log Level=INFO | rex max_match=100 field=Message "(?P<metricdata>[^,]+)[,]" | table _time metricdata | mvexpand metricdata | rex field=metricdata "(?<metric>\w+)=(?<latencyus>\d+)" | where latencyus>0 | eval latency=latencyus/1000 | search metric="TotalTime"| timechart span=15m exactperc99(latency), exactperc99.9(latency)
Thanks David. This indeed was the case.