Splunk Search

I need help filtering search results by milliseconds - values are in a string

rickytrumper
New Member

New splunk user here so I'm not very familiar with how some of the commands work, so I apologize in advance.

My search results display a string "SQLResult which took 6953ms" (without the quotes) - I would like to filter that list by any result that has a value of say 9000ms or higher. Is it possible to do something like this?

Basically it's to create a list or alert when users are running large or open-ended queries so that we can track those incidents.

Thanks,

Tags (3)
0 Karma
1 Solution

jonuwz
Influencer

yes.

You need to extract the "duration" first with a regex, then filter.

... | rex "SQLResult which took (?<duration>\d+)ms" | where duration > 9000

View solution in original post

0 Karma

jonuwz
Influencer

yes.

You need to extract the "duration" first with a regex, then filter.

... | rex "SQLResult which took (?<duration>\d+)ms" | where duration > 9000
0 Karma

jonuwz
Influencer

Its just regular expression syntax info

"duration" is a named capture group that you can reference later, it could be called "sausages" or pretty much anything else.

This : (?<duration>\d+)

just means grab as many digits as you can, and store it in the variable called "duration"

0 Karma

rickytrumper
New Member

is the duration a splunk specific field or is that something you just used? if I had a number that wasn't a duration of time could I use the same approach?

0 Karma

jonuwz
Influencer

You don't have to award any points Ricky. Accepting an answer awards 20 points anyway, and upvoting awards 10.

0 Karma

rickytrumper
New Member

Not sure how many points need to be awarded but that's the max it would allow, thanks again!

0 Karma

rickytrumper
New Member

Thanks, that worked perfectly!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...