topic How to pick the specific log time? in Splunk Search

How to pick the specific log time?

surens — Thu, 15 Dec 2022 14:45:58 GMT

Hi all,

My lead give some task .To create a table, we have lot of source type ... source type have the different states which means up and down.the source type is up we get one log msg , suppose source type is down we get log each 5min once.....in one day we have more than 1also posible...now how I take the first down msg after up

Re: To pick the specific log time

gcusello — Thu, 15 Dec 2022 12:41:32 GMT

Hi @surens,

using eval, you have to define the status, something like this:

index=your_index | eval status=case(state="message_up_1!,"up",state="message_up_2!,"up",state="message_up_3!,"up",state="message_down_1!,"down",state="message_down_2!,"down",state="message_down_3!,"down") | table _time status

then you can also have statistics or time distributions.

Ciao.

Giuseppe

Re: To pick the specific log time

surens — Fri, 16 Dec 2022 06:31:38 GMT

It get latest time of the status only I want know the earliest time . Like 1 Down msg time after the up

Re: To pick the specific log time

gcusello — Fri, 16 Dec 2022 07:25:44 GMT

Hi @surens,

this is one of the few cases that I use transaction command:

index=your_index | transaction startswith="state=message_up_1!" OR "state=message_up_2! OR "state=message_up_3" endswith="state=message_down_2!" OR "state=message_down_2!" OR state="message_down_3!" | table _time other_fields

Ciao.

Giuseppe