Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Parsing us and ms times (e.g. q=15ms)

Oren
Explorer
‎07-14-2010 07:51 PM

We have a log line that looks like:

Jul 14 15:47:34 127.0.0.1 1 [000004ff000216970000489c] Serv foo.com 158578_40df389_527b/127.0.0.1:10465 2/10 ql=0 rt=49us wait=0ms sok=2ms tot=2ms sv=175ms ut=7us xfr=1093944

I'd like to be able to run a query where I find all entries where the wait is greater than 200ms for example. Splunk is parsing it as a text field right now though. Suggestions on how to get this numeric? I don't care about the units really - the fact that some numbers are milliseconds and some are microseconds doesn't matter in splunk if that helps.

Tags (2)
0 Karma
Reply

ziegfried
Influencer
‎07-14-2010 08:10 PM

If your events would contain "q=15ms"you could extract the numerical value using the rex command:

<your search> | rex field=q "(?<q_numeric>\d+)(?<q_unit>\D+)"

The field q_numeric would then contain the numeric value 15 and q_unit with the value "ms"

You could also normalize the value of q_numeric like this:

... | eval q_us=if(q_unit="ms", q_numeric*1000, q_numeric)

and filter out those events > 200ms with

... | where q_us>200000
Reply
Get Updates on the Splunk Community!

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...