Splunk panel for calculating grater then operation

0
votes

Sharing the application log:

2021-08-25T20:45:17.382Z level=info module=xyz pid=45 message="queryAPI, Execution Time(ms):,617.195517, pId:45" 
2021-08-25T20:45:17.382Z level=info module=xyz pid=45 message="queryAPI, Execution Time(ms):,231.195517, pId:45"

Question: Find the total number of API's which took more then 500 ms in splunk dashboard?

Please share the splunk query to find out below data.

Expected output display in table of two column :
Delayd API-Name: queryAPI
Total occurences: 1

1
splunksplunk-querysplunk-formulasplunk-dashboard
Do you already have any established fields? - PM 77-1
@PM77-1 thanks for asking . Only 2 columns should display . API name and total number of slow response call. - fregp
that didn't answer @PM77-1's question, fregp :) ....what fields do you already have extracted? - warren

1 Answers

0
votes

Based on your sample data:

2021-08-25T20:45:17.382Z level=info module=xyz pid=45 message="queryAPI, Execution Time(ms):,617.195517, pId:45"
2021-08-25T20:45:17.382Z level=info module=xyz pid=45 message="queryAPI, Execution Time(ms):,231.195517, pId:45"

Something like this should work:

index=ndx sourcetype=srctp message=*
| rex field=message "(?<apiname>\w+).+\,(?<exectime>\d+\.\d+).+:(?<pid>\d+)$"
| where exectime>500
| stats values(exectime) as longtimes by apiname pid

I've assumed you have the field message already extracted, and have extracted apiname, exectime, and pid from the message field

https://regex101.com/r/YBKtFc/1