Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to trim splunk logs to get time and particular field

surendar123
New Member
‎03-10-2020 06:50 AM

Below are the sample entries from splunk. Highlighted the entries which i want to list down.
Please suggest a splunk query.

1) Please suggest a query pattern to list down word "(time=" and date.
Output should be like:
2020-03-10 06:48:20 (time=451)
2020-03-10 06:48:20 (time=455)
2020-03-10 06:48:20 (time=492)

2020-03-10 06:48:20 [http-nio-7001-exec-7] INFO [5e6770737be8a35b5fef38f7be2a2635] [5fef38f7be2a2635] [] c.l.e.i.a.c.ItemAvailabilityControllerImpl - DeliveryMethod(sosItmNbr=null, fullMtdTyp=3, fullMtdMsg=Delivery, fullCarrier=null, fullCarrierSvc=null, fullTransitMode=null, fullLctNbr=0, restMsg=null, isAvlSts=false, reqStates=[], onhandQty=0, totalQty=0, itmLdTmAvlQty=0, itmLdTm=null, itmConsolidationDate=null, itmLdTmDays=null, itmLdTmDaysLow=null, fullPath=null)])]) (time=451)

2020-03-10 06:48:20 [http-nio-7001-exec-28] INFO [5e677073e64bd99b5997b5bd20c3c4e0] [5997b5bd20c3c4e0] [] c.l.e.i.a.c.ItemAvailabilityControllerImpl - Finished availability process; Response: IAResponse(locationItemData=[ResponseItem(lctNbr=6877, itemNbr=10000070, modID=1500040, omniID=null, vbuNbr=14692, itmTypCode=3, reqQty=17, itemAvailList=[DeliveryMethod(sosItmNbr=null, fullMtdTyp=1, fullMtdMsg=Parcel, fullCarrier=null, fullCarrierSvc=null, fullTransitMode=null, fullLctNbr=0, restMsg=null, isAvlSts=false, reqStates=[], onhandQty=0, totalQty=0, itmLdTmAvlQty=0, itmLdTm=null, itmConsolidationDate=null, (time=455)

2020-03-10 06:48:20 [http-nio-7001-exec-46] INFO [5e6770731c4e323f4cb875712bb0d8ee] [4cb875712bb0d8ee] [] c.l.e.i.a.c.ItemAvailabilityControllerImpl - Finised (time=492)

Tags (2)
0 Karma
Reply

to4kawa
Ultra Champion
‎03-11-2020 05:12 AM 
your search
| rex "(?<time>\(time=\d+\))"
| table _time time

You already have _time. Let's simply.

0 Karma
Reply

manjunathmeti
Champion
‎03-10-2020 07:22 AM

Hi @surendar123,

Use rex command to extract interested values and concatenate.

| rex "^(?<datetime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s*\[.*\(time=(?<time>[\d]+)\)" 
| eval output=datetime." (time=".time.")"

Sample query:

| makeresults 
| eval _raw="2020-03-10 06:48:20 [http-nio-7001-exec-7] INFO [5e6770737be8a35b5fef38f7be2a2635] [5fef38f7be2a2635] [] c.l.e.i.a.c.ItemAvailabilityControllerImpl - DeliveryMethod(sosItmNbr=null, fullMtdTyp=3, fullMtdMsg=Delivery, fullCarrier=null, fullCarrierSvc=null, fullTransitMode=null, fullLctNbr=0, restMsg=null, isAvlSts=false, reqStates=[], onhandQty=0, totalQty=0, itmLdTmAvlQty=0, itmLdTm=null, itmConsolidationDate=null, itmLdTmDays=null, itmLdTmDaysLow=null, fullPath=null)])]) (time=451)" 
| rex "^(?<datetime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s*\[.*\(time=(?<time>[\d]+)\)" 
| eval output=datetime." (time=".time.")"
0 Karma
Reply

surendar123
New Member
‎03-10-2020 10:40 AM

Thanks for the response! But i am not getting what i need.

I have executed the query and output shows for one entry which is (time=451)....But in a day there will many entries with (time=450) (time=453) (time=343) etc and so on. Please share the query to get all entries with (time=

| makeresults
| eval _raw="2020-03-10 06:48:20 [http-nio-7001-exec-7] INFO [5e6770737be8a35b5fef38f7be2a2635] [5fef38f7be2a2635] [] c.l.e.i.a.c.ItemAvailabilityControllerImpl - DeliveryMethod(sosItmNbr=null, fullMtdTyp=3, fullMtdMsg=Delivery, fullCarrier=null, fullCarrierSvc=null, fullTransitMode=null, fullLctNbr=0, restMsg=null, isAvlSts=false, reqStates=[], onhandQty=0, totalQty=0, itmLdTmAvlQty=0, itmLdTm=null, itmConsolidationDate=null, itmLdTmDays=null, itmLdTmDaysLow=null, fullPath=null)])]) (time=451)"
| rex "^(?\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s*[.*(time=(?[\d]+))"
| eval output=datetime." (time=".time.")"

0 Karma
Reply

manjunathmeti
Champion
‎03-10-2020 11:18 AM

Search this:

index=INDEXNAME |  rex "^(?<datetime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s*\[.*\(time=(?<time>[\d]+)\)" | eval output=datetime." (time=".time.")"
0 Karma
Reply

manjunathmeti
Champion
‎03-10-2020 10:57 PM

is it working?

0 Karma
Reply

surendar123
New Member
‎03-10-2020 11:07 PM

Sorry still i didn't have the exact results. I am getting the below output when i ran the query provided. In the output i no where find this value -"(time="

index=INDEXNAME | rex "^(?\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s*[.*(time=(?[\d]+))" | eval output=datetime." (time=".time.")"

3/11/201:23:03.000 AM

2020-03-11 01:23:03 [org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1] INFO c.l.i.c.ItemLocUpdateListener - Updated the item type for req: NodeStatusUpdateReq(nodeStatusUpdate=NodeStatusUpdate(node=6903, itemId=5412, parcelable=null, dirty=null, sellShipUnit=null, itemtypecd=I, modelNumber=00000, vendorNumber=00000, itemtype=1, qty=0, sositemnumber=null))

3/11/20 1:23:03.000 AM

2020-03-11 01:23:03 [org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1] INFO c.l.i.s.ParcelItemUpdateServiceImpl - INV:ITEM UPDATE could not update the ParcelItemNode for nodeStatusUpdate:NodeStatusUpdate(node=6903, itemId=5412, parcelable=null, dirty=null, sellShipUnit=null, itemtypecd=I, modelNumber=00000, vendorNumber=00000, itemtype=1, qty=0, sositemnumber=null) , ItemLocationAttributeEntity: ItemLocationAttributeEntity(itemLocationAttributeEntityKey=ItemLocationAttributeEntityKey(itemtypecd=I, itemId=5412, model=00000, vendorNumber=00000, node=6903), itemtype=1, sourcingenabled=Y, shipunit=null, sellunit=null, vascodetime={}, directtoconsumereligible=null, pickupeligible=null, deliveryeligible=null)

0 Karma
Reply

manjunathmeti
Champion
‎03-11-2020 05:59 AM

As _time is same as datetime in the beginning of each log. You can search this.

index=INDEXNAME
| rex "(?<time>\(time=[\d]+\))" 
| eval datetime=strftime(_time, "%Y-%m-%d %H:%M:%S"), output=datetime." ".time 
| table output, datetime, time
0 Karma
Reply

surendar123
New Member
‎03-10-2020 10:27 PM

When i run the command it gives me below output,no where relates to the date/time and
field - "(time=" which i mentioned in my request. Can you please suggest a better way? There are almost 10k records with value "(time=" in splunk logs, above suggested query is not giving the right results.

3/11/20
1:23:03.000 AM

2020-03-11 01:23:03 [org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1] INFO c.l.i.c.ItemLocUpdateListener - Updated the item type for req: NodeStatusUpdateReq(nodeStatusUpdate=NodeStatusUpdate(node=6903, itemId=5412, parcelable=null, dirty=null, sellShipUnit=null, itemtypecd=I, modelNumber=00000, vendorNumber=00000, itemtype=1, qty=0, sositemnumber=null))

3/11/20
1:23:03.000 AM

2020-03-11 01:23:03 [org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1] INFO c.l.i.s.ParcelItemUpdateServiceImpl - INV:ITEM UPDATE could not update the ParcelItemNode for nodeStatusUpdate:NodeStatusUpdate(node=6903, itemId=5412, parcelable=null, dirty=null, sellShipUnit=null, itemtypecd=I, modelNumber=00000, vendorNumber=00000, itemtype=1, qty=0, sositemnumber=null) , ItemLocationAttributeEntity: ItemLocationAttributeEntity(itemLocationAttributeEntityKey=ItemLocationAttributeEntityKey(itemtypecd=I, itemId=5412, model=00000, vendorNumber=00000, node=6903), itemtype=1, sourcingenabled=Y, shipunit=null, sellunit=null, vascodetime={}, directtoconsumereligible=null, pickupeligible=null, deliveryeligible=null)

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...