topic every event has a hostname and respective time stamp. I want that hostname its time to be displayed and download that as a csv in Splunk Search

every event has a hostname and respective time stamp. I want that hostname its time to be displayed and download that as a csv

rkdasari — Tue, 29 Sep 2020 12:02:16 GMT

Like this many events are there. I just need host and TIme to be dowloaded as a report . please help me

TIme
12/6/16
9:42:40.513 AM

Event
[2016-12-06 09:42:40,513yyyy/MM/dd HH:mm:ss,UTC] _alert_time="2016/12/06 08:30:00 UTC", __sev="LOW", __ns="Storage", __app="ONTAP.HEALTH.Multipath", __uniqID=9bdeaf064afffbc8b17016cf1c09af9c, _@="storage-alerts@yahoo-inc.com", _threshold_name="ONTAP.HEALTH.Multipath", host="nfsarchive16801.mail.gq1.yahoo.com", __description="Storage configuration is Mixed-Path.Loop Details::missing loop:3b:shelf:2
missing loop:1d:shelf:5
missing loop:3d:shelf:4", __status="1", __url="http://yamas.ops.yahoo.com:9999/#/ws/y63tw8/oxc", __url="http://yamas.ops.yahoo.com:9999/v1/graph/new?start=1481005800&end=1481013000&_t.host=nfsarchive16801.mail.gq1.yahoo.com&_s.s0._m.m0.name=Storage.ONTAP.HEALTH.Multipath.status_ok&_s.s0._m.m1.name=Storage.ONTAP.HEALTH.Multipath.status_bad&_s.s0._t._threshold_name=ONTAP.HEALTH.Multipath", __custom_text="please check and fix"

host = alrcons-1.yms.gq1.yahoo.com
source = /home/y/logs/alerts_splunk/alerts-email.log
sourcetype = alerts

Re: every event has a hostname and respective time stamp. I want that hostname its time to be displayed and download that as a csv

cmerriman — Tue, 06 Dec 2016 18:40:49 GMT

if these are events that are being generated, can you just create a search like this:

sourcetype=alerts|table host _time alert_time

and then save it as a report and schedule it if needed?
if you don't have the fields extracted yet, some regex commands that might work:

sourcetype=alerts |rex field=_raw host="(?<host>.*)", |rex field=_raw \[(?<time>.*)\]|rex field=_raw alert_time="(?<alertTime>.*)", __sev|table host time alertTime

Re: every event has a hostname and respective time stamp. I want that hostname its time to be displayed and download that as a csv

niketn — Tue, 06 Dec 2016 19:19:12 GMT

Since host is a metadata index-time extracted field for any sourcetype, you will need to provide a separate field extraction name. Since Splunk is case sensitive for Field names, I am using Host as the extracted field name in following options:

Option 1) Use Extract New Fields option from your Search results. Interactive Field Extractor will give you options to use Splunks regular expression or define your own. You can define your own extraction as

host\=\"(?P<Host>[^,]+)\"\,

Option 2) Use inline rex command to extract host. (PS: rex command should only be used for initial testing, ideally you should use Option 1 or 3 to create a Field Extraction Knowledge Object.

rex field=_raw "host\=\"(?P<Host>[^,]+)\"\,"

Option 3) Modify props.conf to create your own extraction for sourcetype alerts

EXTRACT-Host = host\=\"(?P<Host>[^,]+)\"\,

PS: Other fields should be automatically extracted by Splunk. If not you can apply above options with respective regular expressions. In order to test your regular expressions you can try regex101 website.