Extract the second number from the last from a string and get top 25.

Follow

Krishna Susarla

• June 24, 2015 21:53

Hello,

I am trying extract the time component from a string, get top 25 that are greater than SLA time by webservice name and email them. We have tomcat access logs being pushed to sumo logic. The entries of three web services look like the following.

127.0.0.1 - - [24/Jun/2015:16:41:35 -0500] "POST /services/GetPeopleInfo HTTP/1.0" 200 2572 98 97
127.0.0.1 - - [24/Jun/2015:16:37:13 -0500] "POST /services/SetPersonStatus HTTP/1.0" 200 2316 123 123
127.0.0.1 - - [24/Jun/2015:16:01:53 -0500] "POST /services/RelayTransform HTTP/1.0" 200 2296 59 59

The second number from last in all the above lines is the time taken to process the request.

For example
I want to look back in time for last three hours and if any of the GetPeopleInfo took more than 100ms, I want to list top 25 of them and email.

I need help in writing the query to extract the second number from the last most importantly

0

• 

  David Wynn

  • June 24, 2015 22:27

  You should be able to extract the next to last value with a regular expression similar to the following:

  (?<time_taken>\d+)\s+\d+$

  So, a query that looks for the top 25 GetPeopleInfo response times greater than 100ms might look like this:

  _sourceCategory=Tomcat GetPeopleInfo
  | parse regex "(?<time_taken>\d+)\s+\d+$"
  | where time_taken > 100
  | sort by time_taken desc
  | limit 25

  0

  Comment actions Permalink

Please sign in to leave a comment.