Menu
fields @timestamp, @message
| parse durationMs /(?<duration>[\d]+ )/
| parse message /(GET \/[^\s]+ [\d]+ )(?<responseTime>[\d]+)/
| display @timestamp, duration, responseTime
| sort @timestamp descThis query works for me and fetches the values. The query is currently parsing the durationMs field and getting the value into duration field. Also parsing message field and getting the value into responseTime field.
I am looking for a way to parse durationMs and message fields and get the value into only one field. Is this possible? Please help.
665
coalesce function did the job for me.
fields @timestamp, @message
| parse durationMs /(?<duration>[\d]+ )/
| parse message /(GET \/[^\s]+ [\d]+ )(?<responseTime>[\d]+)/
| display @timestamp, coalesce(duration, responseTime) as response_time
| sort @timestamp descIf you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With