Based on your sample data:
2021-08-25T20:45:17.382Z level=info module=xyz pid=45 message="queryAPI, Execution Time(ms):,617.195517, pId:45"
2021-08-25T20:45:17.382Z level=info module=xyz pid=45 message="queryAPI, Execution Time(ms):,231.195517, pId:45"
Something like this should work:
index=ndx sourcetype=srctp message=*
| rex field=message "(?<apiname>\w+).+\,(?<exectime>\d+\.\d+).+:(?<pid>\d+)$"
| where exectime>500
| stats values(exectime) as longtimes by apiname pid
I’ve assumed you have the field message already extracted, and have extracted apiname, exectime, and pid from the message field
https://regex101.com/r/YBKtFc/1
from User warren – Stack Overflow https://stackoverflow.com/questions/68929886/splunk-panel-for-calculating-grater-then-operation/68940490#68940490
via IFTTT