Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to trim Splunk logs to get time and particular field?

kkanand
Explorer
‎10-25-2022 10:23 PM

Hello

I am having the following query: 

index=*  "There was an error trying to process" | table _raw

logs

_raw

1 2022-10-25 22:10:59.937 ERROR 1 --- [rTaskExecutor-1] c.s.s.service.InboundProcessingFlow : There was an error trying to process PPositivePay121140399F102520220942.20221025094304862.ach from Inbox.
2 2022-10-25 22:10:57.824 ERROR 1 --- [rTaskExecutor-1] c.s.s.service.InboundProcessingFlow : There was an error trying to process FPositivePay121140399Q102420222215.20221024221617018.ach from Inbox.
3 2022-10-25 22:10:57.824 ERROR 1 --- [rTaskExecutor-2] c.s.s.service.InboundProcessingFlow : There was an error trying to process FPositivePay121140399W102520220113.20221025011346442.ach from Inbox.
4 2022-10-25 22:11:53.729 ERROR 1 --- [rTaskExecutor-2] c.s.s.service.InboundProcessingFlow : There was an error trying to process PPositivePay121140399Q102420222215.20221024221617018.ach from Inbox.



I would need to alter the search query so that the output is becoming: 

Time                             file_name

2022-10-25 15:10:49 PPositivePay121140399F102520220942.20221025094304862.ach
2022-10-25 15:10:59 FPositivePay121140399Q102420222215.20221024221617018.ach
2022-10-25 15:11:09 FPositivePay121140399W102520220113.20221025011346442.ach
2022-10-25 15:11:14 PPositivePay121140399Q102420222215.20221024221617018.ach

 

Thanks

@gcusello 

Labels (1)
Labels
0 Karma
Reply

kkanand
Explorer
‎10-26-2022 06:27 AM

kkanand_0-1666790745673.png

I dont want the "from inbox" to show up in the field
Just

_time message

2022-10-25 22:11:00.015PPositivePay121140399F102520220942.20221025094304862.ach
2022-10-25 22:10:57.826FPositivePay121140399Q102420222215.20221024221617018.ach
2022-10-25 22:10:57.826FPositivePay121140399W102520220113.20221025011346442.ach
2022-10-25 22:11:53.729PPositivePay121140399Q102420222215.20221024221617018.ach
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-25-2022 10:55 PM

Hi @kkanand,

you have to add _time to your table command

index=*  "There was an error trying to process" 
| table _time _raw

Ciao.

Giuseppe

0 Karma
Reply

kkanand
Explorer
‎10-25-2022 11:09 PM

Dashboard

kkanand_0-1666764478476.png

I want it like this

kkanand_1-1666764583139.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-25-2022 11:49 PM

HI @kkanand,

sorry, but the _raw of the two screenshots are different: you don't want _raw, but a part of it.

in this case yu have to extract a part of _raw using a regex, in this case you can try something like this:

index=*  "There was an error trying to process" 
| rex "There was an error trying to process (?<message>.*)"
| table _time message

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...