Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Parsing us and ms times (e.g. q=15ms)

Oren
Explorer
‎07-14-2010 07:51 PM

We have a log line that looks like:

Jul 14 15:47:34 127.0.0.1 1 [000004ff000216970000489c] Serv foo.com 158578_40df389_527b/127.0.0.1:10465 2/10 ql=0 rt=49us wait=0ms sok=2ms tot=2ms sv=175ms ut=7us xfr=1093944

I'd like to be able to run a query where I find all entries where the wait is greater than 200ms for example. Splunk is parsing it as a text field right now though. Suggestions on how to get this numeric? I don't care about the units really - the fact that some numbers are milliseconds and some are microseconds doesn't matter in splunk if that helps.

Tags (2)
0 Karma
Reply

ziegfried
Influencer
‎07-14-2010 08:10 PM

If your events would contain "q=15ms"you could extract the numerical value using the rex command:

<your search> | rex field=q "(?<q_numeric>\d+)(?<q_unit>\D+)"

The field q_numeric would then contain the numeric value 15 and q_unit with the value "ms"

You could also normalize the value of q_numeric like this:

... | eval q_us=if(q_unit="ms", q_numeric*1000, q_numeric)

and filter out those events > 200ms with

... | where q_us>200000
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...