I have openshift log configured in splunk and below API results capturing under “log{}” and “pod_name” available under kubernate (kubernate.pod_name). API response time is capturing in the result last 234 ms. I want to fetch only that response time against each distinct pod name.

Blockquote

Log
[
10.234.21.1 GET api/proditem/taskid/ HTTP 1.1 200 – 234 ms
]

Expected table result

Host average_response_time

33h_iei566_pod1 250 ms
33h_iei566_pod2 230 ms
33h_iei566_pod3 340 ms

I tried below

index=apps_openshift_huge Source="automate_pod*" log | rex field=message "(?<response_time>d+)ms" | table host, response_time