Solved: Re: help me with field extraction

sravankaripe · ‎02-10-2017

i want to convert it to

i want this fields

Average overtime
Max value overtime
min value overtime

somesoni2 · ‎02-10-2017

Give this a try

your base search | rex field="ActualTime" "(?<sec>\d+) second (?<millisec>\d+) millisec (?<microsec>\d+) microsec (?<nanosec>\d+) nanosec" | eval ActualTime=round(sec+(millisec/1000)+(microsec/1000000)+(nanosec/1000000000),9)

You can than add appropriate aggregation commands per your need. E.g.

your base search | rex field="ActualTime" "(?<sec>\d+) second (?<millisec>\d+) millisec (?<microsec>\d+) microsec (?<nanosec>\d+) nanosec" | eval ActualTime=round(sec+(millisec/1000)+(microsec/1000000)+(nanosec/1000000000),9) | stats avg(ActualTime) as "Average overtime" max(ActualTime) as "Max value overtime" min(ActualTime) as "min value overtime"

View solution in original post

somesoni2 · ‎02-10-2017

Give this a try

your base search | rex field="ActualTime" "(?<sec>\d+) second (?<millisec>\d+) millisec (?<microsec>\d+) microsec (?<nanosec>\d+) nanosec" | eval ActualTime=round(sec+(millisec/1000)+(microsec/1000000)+(nanosec/1000000000),9)

You can than add appropriate aggregation commands per your need. E.g.

your base search | rex field="ActualTime" "(?<sec>\d+) second (?<millisec>\d+) millisec (?<microsec>\d+) microsec (?<nanosec>\d+) nanosec" | eval ActualTime=round(sec+(millisec/1000)+(microsec/1000000)+(nanosec/1000000000),9) | stats avg(ActualTime) as "Average overtime" max(ActualTime) as "Max value overtime" min(ActualTime) as "min value overtime"

sravankaripe · ‎02-10-2017

| rex "ActualTime=\s(?[^|]*)\"" | rex field="ActualTime" "(?\d+) second (?\d+) millisec (?\d+) microsec (?\d+) nanosec" | eval ActualTime=round(sec+(millisec/1000)+(microsec/1000000)+(nanosec/1000000000),9)

it working for me thanks

gcusello · ‎02-10-2017

Hi sravankaripe,
did you tried with the round function?

| eval ActualTime=round(ActualTime,0)

after you can calculate avg, max and min

| stats avg(ActualTime) AS avg max(ActualTime) AS max min(ActualTime) AS min

Bye.
Giuseppe

sravankaripe · ‎02-10-2017

In above img ActualTime i extracted through rex.
So, the result which you gave not working for me.

help me with field extraction

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases