topic How to fetch the start and the End Time from row logs in Dashboards & Visualizations

How to fetch the start and the End Time from row logs

aditsss — Thu, 31 Aug 2023 13:38:51 GMT

Hi Team,

How can I fetch the start and end time from below logs:

2023-08-30 00:29:00.018 [INFO ] [pool-3-thread-1] ReadControlFileImpl - Reading Control-File /absin/CARS.HIERCTR.D082923.T002302

2023-08-30 07:43:29.020 [INFO ] [Thread-18] FileEventCreator - Completed Settlement file processing, TRIM.UNB.D082923.T045920 records processed: 13283520

I want this start time and end time

can someone help me with query

my current query:

index="abc"sourcetype ="600000304_gg_abs_ipc2" source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log"
"Reading Control-File /absin/CARS.HIERCTR."

Re: How to fetch the start and the End Time from row logs

GaetanVP — Thu, 31 Aug 2023 15:25:19 GMT

Hello @aditsss,

If you are receiving those two lines in the same event you could try to use something like this :

index="abc"sourcetype ="600000304_gg_abs_ipc2" source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "Reading Control-File /absin/CARS.HIERCTR." | rex "(?<starttime>.*?)\s\[.*\s\].*[\r\n]+(?<endtime>.*?)\s\[.*\s\].*"

This gave me the following results :

Hope it helps !
GaetanVP

Re: How to fetch the start and the End Time from row logs

aditsss — Thu, 31 Aug 2023 15:38:36 GMT

@GaetanVP

I tried below query not getting any result

index="abcsourcetype ="600000304_gg_abs_ipc2" source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log"
"Reading Control-File /absin/CARS.HIERCTR."
| rex "(?<starttime>.*?)\s\[.*\s\].*[\r\n]+(?<endtime>.*?)\s\[.*\s\].*"| table starttime endtime

also for end process logs are these:

2023-08-30 04:09:30.458 [INFO ] [Thread-40] FileEventCreator - Completed Settlement file processing, CARS.HIER.D082923.T002302 records processed: 161076

@GaetanVP please guide

Re: How to fetch the start and the End Time from row logs

aditsss — Thu, 31 Aug 2023 19:45:00 GMT

@GaetanVP could you please guide.

Re: How to fetch the start and the End Time from row logs

isoutamo — Fri, 01 Sep 2023 07:51:48 GMT

I’m expecting that those are two different events and with your sample query you get only the 1st event not both? If this is true, you must first implement a SPL query which result contains both events. Then there must be something common on those events to connect those together. On your example events I can’t see anything like that! Probably you must find some other logs which you could use to combine all events on one transaction together?

Only common factor between those event are D082923, but it seems to be part of file name or something? I assume that it’s using as this on many transactions and cannot use as identity only on transaction?

r. Ismo