I searched the Answers and the boards, but not effectively. I am trying to have splunk alert when days are greater than 20 days after "Duraton:" below:
2012-07-03 12:43:36,996 DEBUG
Thanks in Advance.
Splunk should automatically give you a field for Duration since it's a key value pair with a semi-colon separating it. Do you see this in the field discovery on the bottom left of the search screen?
Then create a search like this sourcetype=something | where Duration > 20. With that you can now create an alert for this condition. Depending on how often this occurs you'll want to choose a timeframe for your alert. Is it over the last month, week, day, hour etc, but that is configurable.
By default, Splunk only finds key-value pairs with an equal sign. If your data had
Duration=31
Then Splunk would automatically extract the duration field. But, as sdaniels suggested, you can use the Interactive Field Extractor to create a field, and then use the search as suggested.
To keep it simple use the field extractor. See link below, it will generate the regex for you. Enter several values like 31 etc from the raw events... and put them on seperate lines and then generate the regex, call the field what you want. Then perform the search using the new field.
http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample
I do not see it as a key value. But if it did, wouldn't it be everything after the :, I only want to do Duration > 20, but it would have days, hours, etc after it.
How do I extract the entry so it is only "31" so I can perform the gt action?