- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- extract field for below mentioned log
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From the log mentioned below I need to extract the field 'Response Time' and then frame a query for response time < 10sec
2017-06-19 10:29:25,556 [[weather-project-v1-dev-corp].api-httpListenerConfig.worker.01] INFO org.mule.api.processor.LoggerMessageProcessor - Transaction [4610f1e7c84641f7ac851ea04d0e4e7b] - Response Time [0.404325574999973] - HTTP Status [200] - Returned Success Response to Client
Can some one please suggest how can I add "Response time" to interesting fields and then I can use it for framing queries accordingly.
Thanks.
Vikram.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can use the field extractor:
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX
example in docs:
https://docs.splunk.com/Documentation/Splunk/6.6.1/Scenarios/Extractfields
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in your props.conf:
EXTRACT-ResponseTimeMS = (Response Time \[)(?<ResponseTimeMS>[0-9]*\.[0-9]*)(\])
in your query, maybe use a case statement:
|eval ResponseSpeedType=case(ResponseTimeMS<10, "UnderTen", ResponseTimeMS>10, "OverTen", True(), "DefaultForEverythingElse")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can start with rex. However, Use Splunk's Interactive Field Extraction to let Splunk generate Regular Expression based on your data sample. (https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX)
<YourBaseSearch>
| rex field=_raw "Response Time \[(?<ResponseTime>[^\]]+)\]"
| where ResponseTime <10
| table _time ResponseTime _raw
Looking at your data unless you have already done so, you should also create extractions for Transaction ID and HTTP Status code to come up with more meaningful data transformations.
If you test out above Regular Expression with your data you should consider creating Field Extraction for the same so that the Field persists as a Knowledge Object.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can use the field extractor:
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX
example in docs:
https://docs.splunk.com/Documentation/Splunk/6.6.1/Scenarios/Extractfields
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This process link helps....https://docs.splunk.com/Documentation/Splunk/6.6.1/Scenarios/Extractfields
Thanks Adonio
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
