Re: How to Extract the field from the raw logs

aditsss · ‎10-07-2021

Hi Team,

Can someone guide me how can I extract the logs from the below raw data:

1)Need to Extract the id 5d302144-3cab-387d-8e8c-2532a32b78fe

2) Need to Extract the Starting Time and the Stopping Time

2021-09-01 22:08:48,329 INFO [main] o.a.n.controller.StandardProcessorNode Starting SalesforceBulkAPIJobStatusProcessorV1[id=5d302144-3cab-387d-8e8c-2532a32b78fe]

2021-08-20 12:53:23,476 INFO [main] o.a.n.controller.StandardProcessorNode Stopping processor: SalesforceBatchJobStatusProcessor[id=11c59e11-4bc5-3bbb-9fea-3c12407f3aa2]

Can someone please guide me on this

ITWhisperer · ‎10-07-2021

Assuming you already have _time extracted(?)

| rex "(?<startstop>Starting|Stopping).*\[id=(?<id>[^\]]+)\]"
| eval startingtime=if(startstop="Starting",_time,null())
| eval stoppingtime=if(startstop="Stopping",_time,null())
| stats values(startingtime) as startingtime values(stoppingtime) as stoppingtime by id

aditsss · ‎10-07-2021

@ITWhisperer

I want Starting and Stopping time to extract separately. Also Id need to be extracted separately .

Can you provide me Regex for all three

ITWhisperer · ‎10-07-2021

| rex "\[id=(?<id>[^\]]+)\]"
| rex "(?<startingtime>^.+)\sINFO\s.*Starting"
| rex "(?<stoppingtime>^.+)\sINFO\s.*Stopping"

TheEggi98 · ‎10-07-2021

If the logs have all the same fields and only different values, i would use the Fieldextractor (found at splunks homescreen under "add data")

if not i would try something like

index=YourIndex controller.StandardProcessorNode 
| rex "$.+ o\.a\.n\.controller\.StandardProcessorNode (?<Status>\w+) .+\[id\=(?<id>.+)\]$" 
| table _time Status id

How to Extract the field from the raw logs

panel

simple XML

table

token

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms