I want to extract logs with more than a certain number of specific values in a message

I am using filebeat to get the logs for each server.
Some of the logs are outputting the processing times of various methods, which are commonly formatted as "elaps:****".

In Kibana, the elapsed time is displayed by using the keyword "elapses", but we would like to filter out only the elapsed time that is more than a certain number.
Is it possible to express this in KQL?

ex)

[YYYYY-MM-DD hh:mm:ss] ... snip ... elaps:13 ... snip ...
[YYYYY-MM-DD hh:mm:ss] ... snip ... elaps:20 ... snip ...
[YYYYY-MM-DD hh:mm:ss] ... snip ... elaps:121 ... snip ...
[YYYYY-MM-DD hh:mm:ss] ... snip ... elaps:614 ... snip ...
[YYYYY-MM-DD hh:mm:ss] ... snip ... elaps:35 ... snip ...
[YYYYY-MM-DD hh:mm:ss] ... snip ... elaps:518 ... snip ...
... snip ...

For example, to extract elapses greater than 500

[YYYYY-MM-DD hh:mm:ss] ... snip ... elaps:614 ... snip ...
[YYYYY-MM-DD hh:mm:ss] ... snip ... elaps:518 ... snip ...
... snip ...

Hi @its-ogawa !
There is an option to create a runtime field with a number type. Then you would be able to filter with KQL.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.