topic Re: How to define a start time for a search based on log message in Splunk Search

How to define a start time for a search based on log message

dowdag — Mon, 01 Jul 2019 19:17:28 GMT

Greetings,

Still confused with Splunk.

How do I specify start point to start searching from - for this application I do not start searching from the head of my Log files.
I would like to do something like:

pseudo code:

  index=* OR index=_* sourcetype=OneOfManyLogFiles* 
earliest = [ search index=_* sourcetype="terminal.log" | return  eval StartSearchFrom=strfTime(if(imatch(Info, "^ApplyPayment\(\) - ManagerId.+PaymentId"), _time),"%Y-%m-%d %H:%M:%S.%3N")   ]

This does idea not work.... how is this accomplished?

When using streamstats the log file that has the string "ApplyPayment" is not included in the final rendered table.

index=* OR index=_* sourcetype=OneOfManyLogFiles* 

| eval Action =case(match(Info, "^ApplyPayment\(\) - ManagerId.+PaymentId"),"StartTran" ,
    match(Info, "^Done Merchant Payment"),"EndTran", match(Info, "^Exiting"), "Exiting", 
    match(Info, ""), "Info", 1=1, Action) 
| eval EventTime=strfTime(if(in(Action, "StartTran", "EndTran"), _time,""),"%Y-%m-%d %H:%M:%S.%3N") 
| streamstats count(eval(match(Info, "^ApplyPayment\(\) - ManagerId.+PaymentId"))) AS TranCount BY host
| reverse 
| stats list(Info) As events BY host TranCount
| table TranCount sourcetype _time EventType action CheckNumber TransactionId PaymentId events

Thanks for any help/ideas on this.

Re: How to define a start time for a search based on log message

adonio — Tue, 02 Jul 2019 00:47:18 GMT

can you share some sample data and desired output for search?

Re: How to define a start time for a search based on log message

memarshall63 — Tue, 02 Jul 2019 01:18:01 GMT

Well this works:

index=_internal sourcetype=scheduler earliest="07/01/2019:20:01:39"

So pulling the earliest time from a subsearch would be something like this example that I tested...

index=_internal sourcetype=scheduler 
    [| makeresults | eval start=relative_time(now(),"-60m") 
| eval earliest=strftime(start, "%m/%d/%Y:%H:%M:%S")
    | return  earliest]

I would think your search should work like this:

 index=* OR index=_* sourcetype=OneOfManyLogFiles*
  [ search index=_* sourcetype="terminal.log" 
  | eval StartSearchFrom=strfTime(if(imatch(Info, "^ApplyPayment\(\) - ManagerId.+PaymentId"), _time),"%m/%d/%Y:%H:%M:%S") 
  | rename StartSearchFrom AS earliest 
  | return earliest ]

Make sure you get the format string "%m/%d/%Y:%H:%M:%S" correct... and that StartSearchFrom holds a good timestamp, and you should be good.

Also watchout for that strfTime() in your search... that should be strftime() , It's probably just cut/paste issues, but that whole 'eval StartSearchFrom..." line could use some work.

Hope that helps...

Re: How to define a start time for a search based on log message

dowdag — Tue, 02 Jul 2019 16:33:41 GMT

Marshall,
Thanks for your ideas. However this does not work.
Why does _time have the format of "%Y-%m-%d" and earliest is "%m/%d/%Y"

and if you add milliseconds to 'earliest' string splunk throws an error -- at least in the free version.

> not happy <

Will look at more examples and hope that i will find a solution.

Re: How to define a start time for a search based on log message

memarshall63 — Tue, 02 Jul 2019 17:03:18 GMT

Like I said, that "eval StartSearchFrom clause needs work. I don't believe there's a function called "imatch", and your if() statement doesn't have a 2nd argument.

The search:
index=_internal sourcetype=scheduler earliest="07/01/2019:20:01:39"
works by using the earliest time modifier. The documentation says:

You can specify an exact time such as
earliest="10/5/2016:20:00:00", or a
relative time such as earliest=-h or
latest=@w6

So, that's the format for an exact time that the time modifier expects. If your time is not in that format, or has the seconds added to it, then it may not work.

So your success lies in getting your timestamp in that format and in the "earliest" field, before you execute a "| return earliest" from the subsearch.

This works, right?

index=_internal sourcetype=scheduler 
     [| makeresults | eval start=relative_time(now(),"-60m") 
 | eval earliest=strftime(start, "%m/%d/%Y:%H:%M:%S")
     | return  earliest]

you should just work to replace the stuff inside the strftime() function.

Re: How to define a start time for a search based on log message

dowdag — Tue, 02 Jul 2019 18:51:03 GMT

I have yet to see this worked expected -- and yes imatch was a typo... have a good afternoon! 🙂

Re: How to define a start time for a search based on log message

memarshall63 — Thu, 04 Jul 2019 17:07:57 GMT

What does your search look like and what results are you seeing? It's got to be pretty close.