k.jones
Reputation: 29
Using Splunk rex to extract String from logs
From splunk logs,how can I get a count of all those methods whose Time taken is > 10ms?
Splunk logs which look some thing like this :
c.s.m.c.advice.ExecutionTimeAdvice : <> relationId = aa12 | Method Name = methodA() Time taken is = 0ms
c.s.m.c.advice.ExecutionTimeAdvice : <> relationId = ab12 | Method Name = methodA(). Time taken is = 15ms
c.s.m.c.advice.ExecutionTimeAdvice : <> relationId = ab12 | Method Name = methodB(). Time taken is = 1ms
Upvotes: 2
Views: 3864
Answers (1)
josephsturm
Reputation: 323
This would be the general idea:
| rex field=_raw "Name = (?<methodName>\w+)\("
| rex field=_raw "s = (?<duration>\d+)\D"
| where duration > 10
| stats count by methodName
Within your search, you will need to
- Create a
rexfield to grab the method name - Create a
rexfield to grab the duration in milliseconds - Use the
wherecommand to filter the results to where your new "duration" field > 10ms - Use the
statscommand withcount byto count the current results, binning by your new "methodName" field
If this is not exactly correct for your logs, it should at least get you very close.
Upvotes: 2
Related Questions
- Extract data from splunk
- manipulate string in splunk
- Splunk extract a value from string which begins with a particular value
- Splunk rex extract field, I am close but just cant get it matching
- How to parse information from a log message in splunk
- Splunk - regex extract fields from source
- How to get two fields using rex from log file?
- How to extract data from the String in splunk?
- Splunk: how to extract fields using regular expressions? like rex in splunk search
- Splunk Custom Log format Parsing