Regular expression works separately but, not able ...

mappu · ‎03-11-2024

Hello,

I'm trying to find average response time of all events after the field totalTimeTaken. Thing is, when I tested this regular expression on Regular Expression Site

It shows I'm extracting the field and value correctly but, when I put the same into the Splunk statement it is not yielding the expected result.

Log:

{"Record: {"ATimeTaken":0, "BTimeTaken":0 ,"totalTimeTaken":4},{anotherFields}}

Query:

| makeresults ns=project*
| eval _raw="\"totalTimeTaken\":4" 
| rex field=_raw "\"totalTimeTaken\":+(?<Response_Time>\d+)"
| stats avg(response_time)

Could I know where I'm going wrong?

mappu · ‎03-12-2024

Removed the eval statement and got it working.

burwell · ‎03-11-2024

Hi.

So you tried

| makeresults ns=project*
| eval _raw="\"totalTimeTaken\":4" 
| rex field=_raw "\"totalTimeTaken\":+(?<Response_Time>\d+)"
| stats avg(response_time)

And there are two problems.

1) the first makeresults .. I don't know what the ns=project* is. Here's the reference
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makeresults

2) your rex is extracting the value into the field Response_Time but then use do stats avg on response_time in lowercase. Case matters in Splunk field names.

Here's what seems to work

| makeresults=1
| eval _raw="\"totalTimeTaken\":4" 
| rex field=_raw "\"totalTimeTaken\":+(?<Response_Time>\d+)"
| stats avg(Response_Time)

mappu · ‎03-11-2024

Thanks.

And, It is taking only one event and returning me average response time as 4 or any number I put in the eval field. I couldn't grab all the numbers in such logs/events and take average value.

Regular expression works separately but, not able to work it within Splunk query.

regex

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio