Hi @aditsss,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

@gcusello  could you please provide me the complete query:

My current query is this:

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"

Hi @aditsss,

please try this

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"
| rex "file\s+(?<filename>.*)"
| table filename

Ciao.

Giuseppe

Hi @gcusello 

I want something like this 

finished reading file /absin/TRIM.ARCH.D062923.T052525                  2023-06-29 09:41:53.884

One side it should be this and other side it should be date.

@gcusello  how can we create query for this. Please guide

2023-06-29 09:41:53.884 [INFO ] [pool-2-thread-1] ArchivalProcessor - finished reading file /absin/TRIM.ARCH.D062923.T052525

Also I don't want tabular format is that possible I can create bar chart.

Current query:

index="abx*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"| rex "file\s+(?<filename>.*)"

Hi @aditsss,

please try this:

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"
| rex "file\s+(?<filename>.*)"
| eval filename="finished reading file ".filename
| table filename _time

Ciao.

Giuseppe

Thanks @gcusello 

But I want to create in bar chart format please guide.

Hi @aditsss,

let me understand: you have a string in a column and a date in another, how do you want to put them in a chart?

Ciao.

Giuseppe

@gcusello 

I want string on bar and date down 

Hi @aditsss,

if you want a timeline, you have to use the timeline Add-On at https://splunkbase.splunk.com/app/3120

There isn't any other solution.

Ciao.

Giuseppe

@gcusello 

I just want date down and string in column or bar format.

Can you guide me with timechart

@gcusello 

I tried like this but not getting any result:

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"
| rex "file\s+(?<filename>.*)"
| eval filename="finished reading file ".filename
|  timechart span=1d values(filename) AS filename

Hi @gcusello 

I had tried like this:

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/amex/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"
| rex "file\s+(?<filename>.*)"
| eval filename="finished reading file ".filename
| stats count by filename

I am getting result like this:

filename                                                                                                                                                  count

finished reading file TRIM.ARCH.D062623.T053124                                                1

I want something like this

filename                                                                                                                                                  Date

finished reading fileTRIM.ARCH.D062623.T053124                                      2023-06-29 09:41:53.884

Hi @aditsss,

as I said, in a chart you can insert a count or a value but never a string.

You can eventually have a timechart, but always with a value (a count or a sum) never with a string.

The only way to have a chart is the Timeline add-on.

Otherwise, you can have a table like the one you shared.

ciao.

Giuseppe

@gcusello 

I am trying this query:

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/amex/app/abs-upstreamer/logs/abs-upstreamer.log" "Processing archival records for file "
| rex "file\s+(?<filename>.*)"
| eval filename="Processing archival records for file ".filename
| stats count by filename

I am able to see result like this:

filename                                                                                                                                                     count

Processing archival records for file TRIM.ARCH.D062723.T061108                                 1

I want to see result like this

filename                                                                                                                                                     Date

Processing archival records for file TRIM.ARCH.D062723.T061108                                2023-06-27 09:29:11.022

@gcusello please guide