Saqib Ali
Reputation: 4428
Filtering Splunk results based on a numerical value in the log entry
We have an application that generates logs in the following manner:
task1: spend 51milliseconds
task2: spend 40milliseconds
task3: spend 30milliseconds
task1: spend 101milliseconds
We want to filter Splunk results such that it only shows logs entries where spend is more than 100milliseconds.
What is the best way to do that?
Upvotes: 0
Views: 821
Answers (2)
smi
Reputation: 56
Try,(assuming field name is log)
selects 3 digit values, by excluding first digit-if it is 0
| regex log="spend [1-9]{1}[0-9]{2}milliseconds"| table log
OR try
this will include morethan 3 digit values also
| regex log="spend [1-9]{1}\d\d+milliseconds"| table log
Upvotes: 1
Saqib Ali
Reputation: 4428
This works:
| rex "spend (?<timespent>.*)milliseconds" |WHERE timespent>100
Upvotes: 3
Related Questions
- Splunk - check logs that are equal to any string I provide
- REGEX not working- Filter the Splunk results
- Correlating logs with a pattern in Splunk
- Splunk extract a value from string which begins with a particular value
- Splunk query to extract a number (time taken)
- Extracting 5 fields from logfile containing a string in Splunk
- RegEx in Splunk Search
- splunk query for counting based on regex
- Splunk Custom Log format Parsing
- A regex with Splunk