How to Extract the field from the raw logs

aditsss · ‎10-07-2021

Hi Team,

Can someone guide me how can I extract the logs from the below raw data:

1)Need to Extract the id 5d302144-3cab-387d-8e8c-2532a32b78fe

2) Need to Extract the Starting Time and the Stopping Time

2021-09-01 22:08:48,329 INFO [main] o.a.n.controller.StandardProcessorNode Starting SalesforceBulkAPIJobStatusProcessorV1[id=5d302144-3cab-387d-8e8c-2532a32b78fe]

2021-08-20 12:53:23,476 INFO [main] o.a.n.controller.StandardProcessorNode Stopping processor: SalesforceBatchJobStatusProcessor[id=11c59e11-4bc5-3bbb-9fea-3c12407f3aa2]

Can someone please guide me on this

ITWhisperer · ‎10-07-2021

Assuming you already have _time extracted(?)

| rex "(?<startstop>Starting|Stopping).*\[id=(?<id>[^\]]+)\]"
| eval startingtime=if(startstop="Starting",_time,null())
| eval stoppingtime=if(startstop="Stopping",_time,null())
| stats values(startingtime) as startingtime values(stoppingtime) as stoppingtime by id

aditsss · ‎10-07-2021

@ITWhisperer

I want Starting and Stopping time to extract separately. Also Id need to be extracted separately .

Can you provide me Regex for all three

ITWhisperer · ‎10-07-2021

| rex "\[id=(?<id>[^\]]+)\]"
| rex "(?<startingtime>^.+)\sINFO\s.*Starting"
| rex "(?<stoppingtime>^.+)\sINFO\s.*Stopping"

TheEggi98 · ‎10-07-2021

If the logs have all the same fields and only different values, i would use the Fieldextractor (found at splunks homescreen under "add data")

if not i would try something like

index=YourIndex controller.StandardProcessorNode 
| rex "$.+ o\.a\.n\.controller\.StandardProcessorNode (?<Status>\w+) .+\[id\=(?<id>.+)\]$" 
| table _time Status id

How to Extract the field from the raw logs

panel

simple XML

table

token

There's No Place Like Chrome and the Splunk Platform

The Great Resilience Quest: 5th Leaderboard Update

Devesh Logendran, Splunk, and the Singapore Cyber Conquest