Splunk Search

composite counters - regex to convert to individual variables at search time for graphing

charleswheelus
Path Finder

I have composite counters for latency in the form "latency=1.0/3.0/5.0ms" which are min/avg/max respectively.

I would like to be able to graph these individually, something like the graph below.

I think I should be able to remove the units ("ms") and break these up at search time into components (perhaps: latency.min, latency.avg, latency.max) using a regex. I was hoping someone would be kind enough to show me how this can be done, or perhaps something similar.

graph of composite variable

1 Solution

charleswheelus
Path Finder

OK, now I got it to work. Thanks yannK. When viewing your underlying answer, I see all the backslashes needed. (I was only using the backslash before the slashes)

Just to make other readers life easier (you can cut and paste the code below):


mysearch latency | rex "latency=(?<minlatency>\d+.\d+)\/(?<avglatency>\d+.\d+)\/(?<maxlatency>\d+.\d+)ms" | table _time minlatency avglatency maxlatency

To build the graph try this:


mysearch latency | rex "latency=(?<minlatency>\d+.\d+)\/(?<avglatency>\d+.\d+)\/(?<maxlatency>\d+.\d+)ms" | table _time minlatency avglatency maxlatency | timechart min(minlatency) avg(avglatency) max(maxlatency)

View solution in original post

charleswheelus
Path Finder

OK, now I got it to work. Thanks yannK. When viewing your underlying answer, I see all the backslashes needed. (I was only using the backslash before the slashes)

Just to make other readers life easier (you can cut and paste the code below):


mysearch latency | rex "latency=(?<minlatency>\d+.\d+)\/(?<avglatency>\d+.\d+)\/(?<maxlatency>\d+.\d+)ms" | table _time minlatency avglatency maxlatency

To build the graph try this:


mysearch latency | rex "latency=(?<minlatency>\d+.\d+)\/(?<avglatency>\d+.\d+)\/(?<maxlatency>\d+.\d+)ms" | table _time minlatency avglatency maxlatency | timechart min(minlatency) avg(avglatency) max(maxlatency)

yannK
Splunk Employee
Splunk Employee

if your event has "latency=1.0/3.0/5.0ms"
then try


mysearch latency | rex "latency=(?\d+.\d+)\/(?\d+.\d+)\/(?\d+.\d+)ms" | table _time minlatency avglatency maxlatency

display as line graph

edit, beware the web messed up the display, between the counteers, use an escaping backslash before the slash.

0 Karma

yannK
Splunk Employee
Splunk Employee

look at the "edited x days ago" link to see the correct command, the forum rendering is messing up the search command.

0 Karma

charleswheelus
Path Finder

I tried this but it did not work. I substituted "\/" for "/" which produced three empty columns minlatency, avglatency, and maxlatency. Going to dig into the rex command in the manual to see if I can figure out the correct incantation. Thanks for pointing me in the right direction.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...