Splunk Search

Field results

katouoma
New Member

Hi everyone,
I'm new in Splunk and I want some help from you (please).

Here is an image to explain what i'm trying to do:
alt text

For the field6 i have (for example) one code with 4 results in field5 with their time in field2. So i want to calculate the time (field2) for each 2 results of one code (qr.webservice.server.operation.response qr.webservice.server.operation.request) and (qr.ctg.GE01.response qr.ctg.GE01.request).

Here is what i've done until now:
sourcetype="bigdata:pf:itoa:frontend:java:qr" host=S00VA9939084
field5="qr*" AND field5!="qr.clientsweetdev.person.context" AND field6="H*"
| table field6 , field5 , field2

Thank you

Tags (1)
0 Karma
1 Solution

mayurr98
Super Champion

Hey

try this [TESTED]

<your query so far>| table field6 , field5 , field2 
|  rex field=field5 "qr\.(?<new>[^\.]+)" | eval field2=strptime(field2,"%H:%M:%S,%3Q")  | stats min(field2) as request,max(field2) as response by field6 ,new 
|  eval dur=response-request 
|  chart values(dur) over field6 by new

This will give result in seconds you may convert it according your need to minute or hour in |eval dur= using conversion logic
let me know if this helps!

View solution in original post

0 Karma

katouoma
New Member

I'm trying to send an email to alert my manager if XEROX or SICLID is greater than 2s, but he didn't receive anything so i think i made a mistake in the trigger condition:
alt text

alt text

0 Karma

katouoma
New Member

Thank you @mayurr98, this is exactly what i'm looking for.
alt text
However, i want to alert for example my manager if ctg or webservice is greater than 3s, he will receive an email with the line concerned.

0 Karma

mayurr98
Super Champion

Yes you can rename it using rename command.also if you want to add any condition then you can do something like this

| rename webservice as WebService ctg as CTG | where WebService>3 OR CTG>3

Append this at the end of the search

0 Karma

mayurr98
Super Champion

Hey

try this [TESTED]

<your query so far>| table field6 , field5 , field2 
|  rex field=field5 "qr\.(?<new>[^\.]+)" | eval field2=strptime(field2,"%H:%M:%S,%3Q")  | stats min(field2) as request,max(field2) as response by field6 ,new 
|  eval dur=response-request 
|  chart values(dur) over field6 by new

This will give result in seconds you may convert it according your need to minute or hour in |eval dur= using conversion logic
let me know if this helps!

0 Karma

HiroshiSatoh
Champion

Try this!

・・・
| table field6 , field5 , field2
| eval  field5=rtrim(field5,".response"),field5=rtrim(field5,".request")
| stats min(field2) as start,max(field2) as end by field6 ,field5
| eval dur=strptime(end,"%H:%M:%S,%3Q")-strptime(start,"%H:%M:%S,%3Q")
| table field6 , field5 , dur
0 Karma

katouoma
New Member

Thanks a lot for your response, the result looks like the seconde table 😄 Perfect

0 Karma

katouoma
New Member

I want to calculate the duration between:
- qr.webservice.server.operation.response & qr.webservice.server.operation.request
- qr.ctg.GE01.response & qr.ctg.GE01.request
Here is an example:
alt text

I don't know if it's possible !

Or even like this:
alt text

0 Karma

mayurr98
Super Champion

What do you want to calculate exactly? It would be better if give us the expected output table as well for input table.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...