Parse question
A latency value is located at the end of our log events. I am trying to parse this value from each log event into a single field. I’m having a hard time writing the parse statement that extracts the latency value from all log events because the info in each log statement directly preceding the latency value varies in each log event. In the log sample I provide below the values I want to extract are: 575, 56, and 174.
Are there any tricks to parsing data in this type of situation? Is it possible to define a field separator and then break the log events up into fields based on the provided field separator value?
Thanks in advance,
Chris
<134>Mar 21 03:59:37 dlalalalal lor<82> "dw-180" [] - 152.152.245.135, 152.152.245.135, 10.0.1.111 - - [21/Mar/2018:03:59:36 +0000] "GET /lalala HTTP/1.1" 200 - "-" "python-requests/2.13.0” 575
<134>Mar 21 03:59:38 dztztztztztz lor<82> "dw-193" [] - 214.236.130.191, 214.236.130.191, 10.0.1.111 - - [21/Mar/2018:03:59:38 +0000] "GET /lalala HTTP/1.1" 200 - "-" "RestSharp/105.2.2.0” 56
<134>Mar 21 03:59:36 dhbhbhbh lor<82> "dw-181" [] - 152.152.40.136, 152.152.40.136, 10.0.11.45 - - [21/Mar/2018:03:59:36 +0000] "GET /lalala HTTP/1.1" 200 - "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.13.0-92-generic” 174
-
Official comment
Hi Chris,
If you're only after the latency values, the easiest way to do this is by using our parse regex operator. For example:
_sourceCategory=your/data
| parse regex " (?<latency>\d+)$"This will extract any number that sits between a <space> and the end of the line.
I hope this helps!
Ryan Johnson
Sumo Logic, AustraliaComment actions
Please sign in to leave a comment.
Comments
3 comments