How to extract a field that has value more than 10...

splunknoob2020 · ‎12-14-2020

I have a splunk query that gives me all the logs of slow queries(AQL) but I need to know which ones have taken more than 10 sec. I need to compare them with previous version slow queries and see if there is any improvement?

My splunk query:

index=hello_world host_zone=pr source="*hi*" "slow query"

Sample log:

slow query: 'FOR s IN abcdef FILTER LOWER(ghijk) == '123456789' LET serviceId = lmno FOR v IN pqrst GRAPH uvw_xyz RETURN v', bind vars: {}, took: 5.384533 s

gcusello · ‎12-14-2020

Hi @splunknoob2020,

your problem is to extract the field or to compare results?

if it's extracting field, you can use a regex or the field extractor, using regexes:

| rex "took:\s+(?<took>[^ ]+)"

that you can test at https://regex101.com/r/b9Mk8r/1

Ciao.

Giuseppe

splunknoob2020 · ‎12-15-2020

Thank you for the response, @gcusello . Your query helped me in extracting the field, now I need to get all the slow queries which took more than 10 sec. Let's say in a tabular format I would like to see the slow query and the time it took to run in two columns?

gcusello · ‎12-15-2020

Hi @splunknoob2020,

not you have to create your search adding the condition (>10 sec) and the fields to list, something like this:

index=hello_world host_zone=pr source="*hi*" "slow query"
| rex "took:\s+(?<took>[^ ]+)"
| where took>10
| table <your-fields>

Ciao.

Giuseppe

How to extract a field that has value more than 10 sec?

field extraction

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases