-2

I have an API onboarded to splunk and the API logs are streamed to Splunk as well. I need to create a report for the time taken by the external APIs. With this basic search command I'm able to get list of external API calls but when I try to use rex or split it doesn't work.

index=my_index message="*time-taken*" | table message

This returns results like below

service=http://www.example.com:status=200:time-taken=200
service=http://www.example2.com:status=201:time-taken=500
service=http://www.example2.com:status=202:time-taken=240

I'd like to create a report something like this, any help us much appreciated

|date|service|max(time-taken)|avg(time-taken)|
Spartan
  • 339
  • 1
  • 3
  • 14

1 Answers1

1

You say you tried rex and split yet neither is in the example query. It would help to know what you've tried already so we don't suggest the same thing. Who knows, maybe you were one character away from getting it to work.

"it doesn't work" doesn't help us, either.

This query works with the sample data.

```Extract service, status, and time-taken fields
   We use time_taken because hyphens in field names can cause problems```
| rex "service=(?<service>https?://[^:]+):status=(?<status>\d+):time-taken=(?<time_taken>\d+)"
```Compute max and average time-taken```
| stats max(time_taken) as max, avg(time_taken) as avg, first(_time) as _time by service
| table _time, service, max, avg
```Change fields to requested names```
| rename _time as date, max as "max(time-taken)", avg as "avg(time-taken)"
```Display 'date' in readable format```
| fieldformat date=strftime(date, "%Y-%m-%d %H:%M:%S")
RichG
  • 9,063
  • 2
  • 18
  • 29