How to display time, host, source type when the st...

poonama · ‎09-20-2017

I have a stack trace for one particular error like this,
[9/20/17 5:40:13:428 EDT] 000000e0 SystemOut O 20 Sep 2017 05:40:13:428 [INFO] [DMAXP01_MIF2] [] BMXAA6372I - Host name: 139.46.95.92. Server name: DMAXP01_MIF2. Cron task name: JMSQSEQCONSUMER.SEQQIN. Last run: 2017-09-20 05:40:00.0host=cltismx1waslp07 Options|

sourcetype=WebSphere:SystemOutLog Options|

source=/logs/websphere/DMAXP01_MIF2/SystemOut.log

I want to view the feilds in tabular format. My search string is
Cron task name: JMSQSEQCONSUMER.SEQQIN9. Last run: | table host, sourcetype,source.

I want to display the time after the keywords " Last run:" in the above statement.

gcusello · ‎09-20-2017

Hi poonama,
you have to extract field Last_Run in rex command or in field extraction.
regex is Last run: (?<Lat_Run>\d+-\d+-\d+\s\d+:\d+:\d+\.\d+)

your_search
| rex "Last run: (?<Lat_Run>\d+-\d+-\d+\s\d+:\d+:\d+\.\d+)"
| table Last_Run host sourcetype source

you can test it at https://regex101.com/r/Cfbhwp/1
Bye.
Giuseppe

poonama · ‎09-21-2017

Its giving multiple entries of one single last run time. Any idea how to deal with this.

How to display time, host, source type when the statement is as follows:

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?