New splunk user here so I'm not very familiar with how some of the commands work, so I apologize in advance.
My search results display a string "SQLResult which took 6953ms" (without the quotes) - I would like to filter that list by any result that has a value of say 9000ms or higher. Is it possible to do something like this?
Basically it's to create a list or alert when users are running large or open-ended queries so that we can track those incidents.
Thanks,
yes.
You need to extract the "duration" first with a regex, then filter.
... | rex "SQLResult which took (?<duration>\d+)ms" | where duration > 9000
yes.
You need to extract the "duration" first with a regex, then filter.
... | rex "SQLResult which took (?<duration>\d+)ms" | where duration > 9000
Its just regular expression syntax info
"duration" is a named capture group that you can reference later, it could be called "sausages" or pretty much anything else.
This : (?<duration>\d+)
just means grab as many digits as you can, and store it in the variable called "duration"
is the duration a splunk specific field or is that something you just used? if I had a number that wasn't a duration of time could I use the same approach?
You don't have to award any points Ricky. Accepting an answer awards 20 points anyway, and upvoting awards 10.
Not sure how many points need to be awarded but that's the max it would allow, thanks again!
Thanks, that worked perfectly!