topic Re: I want to extract the data between two time stamp fields using _time filed in splunk logs in Splunk Search

How to extract the data between two time stamp fields using _time filed in Splunk logs?

satya671 — Tue, 08 Mar 2022 04:49:59 GMT

_time=time1, _raw=some contents

_time=time2, _raw=some contents

_time=time3, _raw=some contents

_time=time4, _raw=some contents

__time=time5, _raw=some contents

Now I want to extract the data between time2 and time3 using of _time filed , can anyone help with this?

Re: I want to extract the data between two time stamp fields using _time filed in splunk logs

richgalloway — Mon, 07 Mar 2022 13:32:40 GMT

How to extract the data depends on the format of the data in _raw. You could use the extract, spath, xpath, or rex commands to do the work, depending on the nature of the data and what you wish to extract. You also could use settings in the props.conf file to extract fields automatically.

Please tell us more about the use case so we can be more specific.

Re: I want to extract the data between two time stamp fields using _time filed in splunk logs

satya671 — Tue, 08 Mar 2022 12:46:31 GMT

My use case here is to extract data from last successful run based on the filed _time in the splunk logs

Re: I want to extract the data between two time stamp fields using _time filed in splunk logs

PickleRick — Tue, 08 Mar 2022 13:01:05 GMT

Writing the same thing over and over again doesn't explain what you want to do. Give us example of your (anonymized) data, what you want as a result and what is the relation between source events and result.

Re: I want to extract the data between two time stamp fields using _time filed in splunk logs

satya671 — Tue, 08 Mar 2022 13:12:36 GMT

Here I'm trying to extract the some data from the _raw content,

ex : for now data in splunk: here the success run time will be _time2

_time=time2 , _raw=akjfkajdf4jlfadjf5453

_time=time1 , _raw=akjfkajdf6jlfadjf5457,

So, when i again hit the splunk the data available in splunk like below

_time=time3 , _raw=akjfkajdf4jlfadjf5453

_time=time4 , _raw=akjfkajdf6jlfadjf5457,

_time=time2 , _raw=akjfkajdf4jlfadjf5454

_time=time1 , _raw=akjfkajdf6jlfadjf5455,

so , using splunk api i need to get the data from last successful run to till now

so my results should contain from time2 to now

_time=time3 , _raw=akjfkajdf4jlfadjf5453

_time=time4 , _raw=akjfkajdf6jlfadjf5457,

hope this will clarify, lemme know

Need to integrate this logic in the spluk search query.

Re: I want to extract the data between two time stamp fields using _time filed in splunk logs

PickleRick — Tue, 08 Mar 2022 14:24:20 GMT

I don't understand how you define success.

Is it that you run some external tool using API to run a search on splunk and want to return only the events that were ingested since last successful run of your tool?

If so, you simply use "earliest=something latest=something" conditions. You can specify the "somethings" as unix timestamps (number of seconds since epoch) for simplicity.