Extract/filter Splunk Query and for conditional logic

1
votes

I use basic Splunk queries mostly, like

index=myIndexHere source="path/to/logs/app.log" "Keyword to Filter Query On Example"

My question is, I want to find logs that have a value called "Time taken:". Ok, that's great - based on what I wrote above, I know how to do that. I get a bunch of search results back in Splunk, that is in a JSON-style (this is logging from my Java Spring Boot application), i.e.

Object state is { "key1": "value",
  "key2": "value",
  "key3": "value"
}, Time taken: 500 ms

So it's some format like that. How can I filter/extract the "Time taken:" VALUE (just the numeric portion) and do a simple logic condition like "> 1000ms" such that I only get search results back that are greater than 1000ms?

1
javaspring-bootsplunk

1 Answers

1
votes

One way is with the rex command. rex extracts capture groups into fields which can then be processed with other SPL commands.

index=myIndexHere source="path/to/logs/app.log" "Keyword to Filter Query On Example" "Time taken"
| rex "Time Taken:\s(?<timeTaken>\d+)"
| where timeTaken > 1000

This query assumes the Time taken field is always milliseconds. If it can change then the query becomes more complex.