Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Scraping Start Times

Regleston
New Member
‎02-20-2019 11:22 AM

I am trying to extract the time taken for a process to execute from my logs. This is they syntax of the log:

Time taken: 1.422 seconds

I have been through the message boards on here and tried dozens of different suggestions from similar issues but none of the rex/regex combinations have worked and just given me the time taken. Can someone please help me out?

Tags (1)
0 Karma
Reply

adonio
Ultra Champion
‎02-20-2019 01:12 PM

try this anywhere:

| makeresults count=1
| eval data = "Time taken: 1.422 seconds;;;Time taken: 1.712 seconds;;;Time taken: 1.333 seconds;;;Time taken: 1.290 seconds"
| makemv delim=";;;" data
| mvexpand data
| rename COMMENT as "the above generates data below is the solution" 
| rex field=data "taken:\s+(?<time_taken>[^\s]+)"

hope it helps

0 Karma
Reply

Regleston
New Member
‎02-21-2019 08:51 AM

(Previous messages got removed for some reason)
That works great with your sample data but with my base search does nothing.

My search query:
index= host= source=//mls-ingest-logs/ingest-mls-summary*.log| rex field=data "taken:\s+(?[^\s]+)"

Log Event:
Time taken: 1.422 seconds
host = source = //ingest-mls-summary.log sourcetype = ingest-mls-summary

0 Karma
Reply

adonio
Ultra Champion
‎02-21-2019 09:54 AM

the field data is in my example, you can remove it for your query
.... | rex field=_raw "taken:\s+(?<time_taken>[^\s]+)"

0 Karma
Reply

Regleston
New Member
‎02-21-2019 09:58 AM

Oh the first thing after the search made no difference was to switch it to "_raw", just reverted it back for the comment.

0 Karma
Reply

adonio
Ultra Champion
‎02-21-2019 10:12 AM

ok, the query i provided first is a dummy query that creates fake data and shows that the regex works

try it top make sure its fine.
on your real data, use this:
index=YOUR_INDEX_NAME_HERE host=YOUR_HOST_NAME_HERE source=//mls-ingest-logs/ingest-mls-summary*.log| rex field=_raw "taken:\s+(?[^\s]+)"

0 Karma
Reply

Regleston
New Member
‎02-20-2019 01:47 PM

It seems to work great with your sample data but for some reason when I add it to the end of my base search I get the same result as I would if I didn't add it.

0 Karma
Reply

adonio
Ultra Champion
‎02-20-2019 02:21 PM

share your base search and a sample full event

0 Karma
Reply

Regleston
New Member
‎02-21-2019 06:03 AM

index=app_hdfs host=FQHN source+/opt/hdp/dna-sqoop-ingest/log/mls-ingest-logs/ingest-mls-summary*.log | rex field=data "taken:\s+(?[^\s]+)"

Time taken: 1.422 seconds
host = FQHN source = /opt/hdp/dna-sqoop-ingest/log/mls-ingest-logs/ingest-mls-summary.log sourcetype = ingest-mls-summary

0 Karma
Reply

pkeenan87
Communicator
‎02-20-2019 12:49 PM

Try this regex:

Time\staken:\s(?[^\s]+)

0 Karma
Reply

Vijeta
Influencer
‎02-20-2019 12:34 PM

Do you want to extract the value of time (1.422) from the logs?

0 Karma
Reply

Regleston
New Member
‎02-20-2019 12:45 PM

Yes, I'm just trying to get what every time shows in that area.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...