How to display time, host, source type when the st...

poonama · ‎09-20-2017

I have a stack trace for one particular error like this,
[9/20/17 5:40:13:428 EDT] 000000e0 SystemOut O 20 Sep 2017 05:40:13:428 [INFO] [DMAXP01_MIF2] [] BMXAA6372I - Host name: 139.46.95.92. Server name: DMAXP01_MIF2. Cron task name: JMSQSEQCONSUMER.SEQQIN. Last run: 2017-09-20 05:40:00.0host=cltismx1waslp07 Options|

sourcetype=WebSphere:SystemOutLog Options|

source=/logs/websphere/DMAXP01_MIF2/SystemOut.log

I want to view the feilds in tabular format. My search string is
Cron task name: JMSQSEQCONSUMER.SEQQIN9. Last run: | table host, sourcetype,source.

I want to display the time after the keywords " Last run:" in the above statement.

gcusello · ‎09-20-2017

Hi poonama,
you have to extract field Last_Run in rex command or in field extraction.
regex is Last run: (?<Lat_Run>\d+-\d+-\d+\s\d+:\d+:\d+\.\d+)

your_search
| rex "Last run: (?<Lat_Run>\d+-\d+-\d+\s\d+:\d+:\d+\.\d+)"
| table Last_Run host sourcetype source

you can test it at https://regex101.com/r/Cfbhwp/1
Bye.
Giuseppe

poonama · ‎09-21-2017

Its giving multiple entries of one single last run time. Any idea how to deal with this.

How to display time, host, source type when the statement is as follows:

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

How to display time, host, source type when the statement is as follows:

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!