Reputation: 2076
Extract/filter Splunk Query and for conditional logic
I use basic Splunk queries mostly, like
index=myIndexHere source="path/to/logs/app.log" "Keyword to Filter Query On Example"
My question is, I want to find logs that have a value called "Time taken:". Ok, that's great - based on what I wrote above, I know how to do that. I get a bunch of search results back in Splunk, that is in a JSON-style (this is logging from my Java Spring Boot application), i.e.
Object state is { "key1": "value",
"key2": "value",
"key3": "value"
}, Time taken: 500 ms
So it's some format like that. How can I filter/extract the "Time taken:" VALUE (just the numeric portion) and do a simple logic condition like "> 1000ms" such that I only get search results back that are greater than 1000ms?
Upvotes: 1
Views: 1703
Answers (1)
Reputation: 9916
One way is with the rex command. rex extracts capture groups into fields which can then be processed with other SPL commands.
index=myIndexHere source="path/to/logs/app.log" "Keyword to Filter Query On Example" "Time taken"
| rex "Time Taken:\s(?<timeTaken>\d+)"
| where timeTaken > 1000
This query assumes the Time taken field is always milliseconds. If it can change then the query becomes more complex.
Upvotes: 1
Related Questions
- Extract data from splunk
- Splunk filter one search by another
- Splunk conditional search
- Get distinct results (filtered results) of Splunk Query based on a results field/string value
- Splunk query filter out based on other event in same index
- If statements and extracting values
- Splunk query based on the results of another query
- Splunk - Get Prefefined Outputs Based on the event count and event data
- Extracting certain fields from Splunk query results
- Splunk query to filter results