topic How to create a query that pulls the following fields from each event? in Splunk Search

How to create a query that pulls the following fields from each event?

Strangertinz — Mon, 15 May 2023 14:01:28 GMT

Can anyone offer some guidance on how to go about creating a query that pulls the following fields from each event

Start_time (date and time ) — different from _time field

End_time (date and time ) — different from _time field

usage_amount ( a whole number)

I will like to calculate the time difference between the start and end time and split every event that the start and end time span over one day and split the original event into multiple individual events where each event from the search just returns the modified list of events where the start and end times are within the same day

Re: Spl query

yuanliu — Sat, 13 May 2023 23:06:57 GMT

You want to start by telling the community about your data. (Anonymize as needed.) How do you determine what is Start_time, what is End_time, what is usage_amount, etc.? SPL is just a tool. Until you can show volunteers how you do it without SPL, we cannot help you craft SPL.

Re: Spl query

Strangertinz — Sun, 14 May 2023 01:57:52 GMT

I attached some picture of the sample data and query thus far

Re: Spl query

Strangertinz — Sun, 14 May 2023 01:59:24 GMT

Thanks, I posted some pictures of the data/current SPL query. Let me know if I can provide anything else

Re: Spl query

ITWhisperer — Sun, 14 May 2023 06:29:28 GMT

Try something like this

Re: Spl query

Strangertinz — Sun, 14 May 2023 16:27:27 GMT

This is awesome! Thanks !!!