calculating time of free form value in log message

moj0002 · ‎02-19-2014

Is there a way I can create a bar chart with the response time extracted from these free form log messages that corellate on the ID. There will always only be a pair (starting and finished) I would like the result to be timestamp and the duration (in this case)

2014.02.18-19:05:07:687 minus 2014.02.18-19:05:07:583 = 104 milliseconds displayed in a barchart.

Not sure if this is possible

19:05:07,583 INFO starting to wait for message with ID [ID:ABC2020123} at [2014.02.18-19:05:07:583]

19:05:10,216 INFO starting to wait for message with ID [ID:XYZ2020456} at [2014.02.18-19:05:10:216]

19:05:07,687 INFO finished waiting for message with ID [ID:ABC2020123} at [2014.02.18-19:05:07:687]

somesoni2 · ‎02-20-2014

Try this

index=main sourcetype="mytran" | rex "^(?:[^ ]* ){2}(?P<action>[^ ]+)" | rex "\[ID:(?<ID>[^\}]+)" | transaction ID startswith=action=starting endswith=action=finished  | table _time, ID, duration

duration is in seconds.

HiroshiSatoh · ‎02-19-2014

I tried to extract the field(ID, time0).

･････| rex field=_raw "[^\[\n]*\[\w+:(?P<ID>[^\}]+)[^\[\n]*\[(?P<time0>[^\]]+)" | transaction fields=ID|eval time1=strptime(mvindex(time0,0),"%Y.%m.%d-%H:%M:%S:%3N")|eval time2=strptime(mvindex(time0,1),"%Y.%m.%d-%H:%M:%S:%3N")|eval time3=time2-time1|table ID,time0,time1,time2,time3

moj0002 · ‎02-25-2014

thank you that worked

calculating time of free form value in log message

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life