Hi everyone,
I am new to Splunk and still learning.
Can someone please help me on the below query?
2020-03-30 12:21:45,075 INFO com.www.yyy.MyClass[ - ] - screen changing to [Select]
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- checking
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- found
2020-03-30 12:25:31,663 DEBUG com.www.yyy.Manager[ - ] - All Service took 89 milliseconds
I want to get the screen name and service took time.
in the above example I need like this: "Select" screen services took 89 milliseconds
Please help me to get the query. I would really appreciate it! Thank you!
| makeresults
| eval _raw="test
2020-03-30 12:21:45,075 INFO com.www.yyy.MyClass[ - ] - screen changing to [Select]
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- checking
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- found
2020-03-30 12:25:31,663 DEBUG com.www.yyy.Manager[ - ] - All Service took 89 milliseconds
2020-03-30 13:21:45,075 INFO com.www.yyy.MyClass[ - ] - screen changing to [Select]
2020-03-30 13:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- checking
2020-03-30 13:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- found
2020-03-30 13:25:31,663 DEBUG com.www.yyy.Manager[ - ] - All Service took 89 milliseconds"
| multikv forceheader=1
| fields _raw
| streamstats current=f count(eval(searchmatch("took"))) as session
| stats values(_raw) as _raw by session
| nomv _raw
| rex "(?ms)^.*\[(?<screen>\w+)\].*took (?<duration>\d+ \w+)"
| eval result="\"".screen."\" services took ".duration
I make session from screen changing
to took
how about this?
All these logs should contain a common values to join them together. Assuming [ - ] is the common value in all these logs you can try this:
| rex "\[(?<common_value>[\w\W]+)\]\s\-\sscreen\schanging\sto\s\[(?<service>\w+)\]"
| rex "\[(?<common_value>[\w\W]+)\]\s-\sAll\sService\stook\s(?<duration>\d+\smilliseconds)"
| stats latest(service) as service, latest(duration) as duration by common_value
| eval output="\"".service."\" screen services took".duration." milliseconds"
Sample query:
| makeresults
| eval _raw="_raw
2020-03-30 12:21:45,075 INFO com.www.yyy.MyClass[ - ] - screen changing to [Select]
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- checking
2020-03-30 12:25:31,574 DEBUG com.www.yyy.Manager[ - ] - Service- found
2020-03-30 12:25:31,663 DEBUG com.www.yyy.Manager[ - ] - All Service took 89 milliseconds"
| multikv forceheader=1
| fields _raw
| rex "\[(?<common_value>[\w\W]+)\]\s\-\sscreen\schanging\sto\s\[(?<service>\w+)\]"
| rex "\[(?<common_value>[\w\W]+)\]\s-\sAll\sService\stook\s(?<duration>\d+\smilliseconds)"
| stats latest(service) as service, latest(duration) as duration by common_value
| eval output="\"".service."\" screen services took".duration." milliseconds"
your multikv
is cool.