How to display time, host, source type when the st...

poonama · ‎09-20-2017

I have a stack trace for one particular error like this,
[9/20/17 5:40:13:428 EDT] 000000e0 SystemOut O 20 Sep 2017 05:40:13:428 [INFO] [DMAXP01_MIF2] [] BMXAA6372I - Host name: 139.46.95.92. Server name: DMAXP01_MIF2. Cron task name: JMSQSEQCONSUMER.SEQQIN. Last run: 2017-09-20 05:40:00.0host=cltismx1waslp07 Options|

sourcetype=WebSphere:SystemOutLog Options|

source=/logs/websphere/DMAXP01_MIF2/SystemOut.log

I want to view the feilds in tabular format. My search string is
Cron task name: JMSQSEQCONSUMER.SEQQIN9. Last run: | table host, sourcetype,source.

I want to display the time after the keywords " Last run:" in the above statement.

gcusello · ‎09-20-2017

Hi poonama,
you have to extract field Last_Run in rex command or in field extraction.
regex is Last run: (?<Lat_Run>\d+-\d+-\d+\s\d+:\d+:\d+\.\d+)

your_search
| rex "Last run: (?<Lat_Run>\d+-\d+-\d+\s\d+:\d+:\d+\.\d+)"
| table Last_Run host sourcetype source

you can test it at https://regex101.com/r/Cfbhwp/1
Bye.
Giuseppe

poonama · ‎09-21-2017

Its giving multiple entries of one single last run time. Any idea how to deal with this.

How to display time, host, source type when the statement is as follows:

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation