Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Table or graph view for range of results
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nidd
Path Finder
08-07-2019
03:07 AM
I have logs in my application, that looks like:
8/7/19 1:30:35.977 AM [8/7/19 1:30:35:977 MST] 00000232 MyClass I Method Process | ProcessingTime=8ms host=myHost source=/location/SystemOut.log
There are many such logs, that have different processing time starting from 20ms to 6000ms.
I need to bring this out in the form of table like:
0-100ms 5
100-200ms 12
200-500ms 6
500-1000ms 24
1000-500ms 40
above 5000ms 2
Can someone help on how to achieve this?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jpolvino
Builder
08-07-2019
05:22 AM
Here is one way:
| makeresults
| eval raw="[8/7/19 1:30:35:977 MST] 00000232 MyClass I Method Process | ProcessingTime=8ms
host=myHost source=/location/SystemOut.log###[8/7/19 1:30:36:977 MST] 00000232 MyClass I Method Process | ProcessingTime=123ms
host=myHost source=/location/SystemOut.log###[8/7/19 1:30:37:011 MST] 00000232 MyClass I Method Process | ProcessingTime=1001ms
host=myHost source=/location/SystemOut.log###[8/7/19 1:30:39:533 MST] 00000232 MyClass I Method Process | ProcessingTime=1010ms
host=myHost source=/location/SystemOut.log"
| makemv delim="###" raw | mvexpand raw | rename raw AS _raw
| rex "ProcessingTime=(?<dur>\d+)ms"
| eval durBucket=case(dur<=100,"0-100ms",dur<=200,"101-200ms",dur<=500,"201-500ms",dur<=1000,"501-1000ms",dur<=5000,"1001-5000ms",1==1,"above 5000ms")
| stats count by durBucket
This extracts the duration into the field "dur" if you don't have access to this already. It uses case to manually bucket.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jpolvino
Builder
08-07-2019
05:22 AM
Here is one way:
| makeresults
| eval raw="[8/7/19 1:30:35:977 MST] 00000232 MyClass I Method Process | ProcessingTime=8ms
host=myHost source=/location/SystemOut.log###[8/7/19 1:30:36:977 MST] 00000232 MyClass I Method Process | ProcessingTime=123ms
host=myHost source=/location/SystemOut.log###[8/7/19 1:30:37:011 MST] 00000232 MyClass I Method Process | ProcessingTime=1001ms
host=myHost source=/location/SystemOut.log###[8/7/19 1:30:39:533 MST] 00000232 MyClass I Method Process | ProcessingTime=1010ms
host=myHost source=/location/SystemOut.log"
| makemv delim="###" raw | mvexpand raw | rename raw AS _raw
| rex "ProcessingTime=(?<dur>\d+)ms"
| eval durBucket=case(dur<=100,"0-100ms",dur<=200,"101-200ms",dur<=500,"201-500ms",dur<=1000,"501-1000ms",dur<=5000,"1001-5000ms",1==1,"above 5000ms")
| stats count by durBucket
This extracts the duration into the field "dur" if you don't have access to this already. It uses case to manually bucket.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nidd
Path Finder
08-07-2019
06:54 AM
Do I have to include all my logs in eval !!? Didn't get that part @jpolvino !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jpolvino
Builder
08-07-2019
07:42 AM
Lines 1-7 are simply creating events for illustration purposes, and line 8 creates a field for the duration.
Your real search should probably look something like:
index=something sourcetype=something_else
followed by lines 8 through 10 above. If your host and source are always going to be the same, then you can add those right after the index and sourcetype example right above.
Get Updates on the Splunk Community!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...
Splunk APM: New Product Features + Community Office Hours Recap!
Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...
Index This | Forward, I’m heavy; backward, I’m not. What am I?
April 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
