Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I need help filtering search results by milliseconds - values are in a string

rickytrumper
New Member
‎02-18-2013 03:27 PM

New splunk user here so I'm not very familiar with how some of the commands work, so I apologize in advance.

My search results display a string "SQLResult which took 6953ms" (without the quotes) - I would like to filter that list by any result that has a value of say 9000ms or higher. Is it possible to do something like this?

Basically it's to create a list or alert when users are running large or open-ended queries so that we can track those incidents.

Thanks,

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jonuwz
Influencer
‎02-18-2013 03:58 PM

yes.

You need to extract the "duration" first with a regex, then filter.

... | rex "SQLResult which took (?<duration>\d+)ms" | where duration > 9000

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jonuwz
Influencer
‎02-18-2013 03:58 PM

yes.

You need to extract the "duration" first with a regex, then filter.

... | rex "SQLResult which took (?<duration>\d+)ms" | where duration > 9000
0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎02-19-2013 04:53 AM

Its just regular expression syntax info

"duration" is a named capture group that you can reference later, it could be called "sausages" or pretty much anything else.

This : (?<duration>\d+)

just means grab as many digits as you can, and store it in the variable called "duration"

0 Karma
Reply
Solved! Jump to solution

rickytrumper
New Member
‎02-18-2013 05:17 PM

is the duration a splunk specific field or is that something you just used? if I had a number that wasn't a duration of time could I use the same approach?

0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎02-18-2013 05:04 PM

You don't have to award any points Ricky. Accepting an answer awards 20 points anyway, and upvoting awards 10.

0 Karma
Reply
Solved! Jump to solution

rickytrumper
New Member
‎02-18-2013 04:29 PM

Not sure how many points need to be awarded but that's the max it would allow, thanks again!

0 Karma
Reply
Solved! Jump to solution

rickytrumper
New Member
‎02-18-2013 04:28 PM

Thanks, that worked perfectly!

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...