Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Index-time extraction of multiple timestamps fields within a single event

robert_vincent
Engager
‎08-08-2013 02:03 PM

Need to set up searching and alerting for batch-job logging. Each log line will have the following format:

timestamp|uuid|appname|next-timestamp|max-execution-time|start-stop-code

So I need to set up a search that starts with:

index="batch" | transaction fields=uuid

And then add logic that tests for:

  • linecount=1 | where ( timestamp + max-execution-time > current time )
  • Most recent "next-timestamp" for each appname is less than current time

Problem is, I don't know how to set up index-time field extraction for multiple timestamps within a single event. Help?

Tags (2)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-09-2013 01:16 AM

You do not normally need to extract anything at index-time. You can make your comparisons with search-time extracted data.

Don't know what you really want to do, and what the transaction is used for, but if max-execution-time is in seconds, the logic/math will be rather simple. Current time (when the search starts) can be found via now(). 

...| eval XXX = _time + max-execution-time 
| eval YYY = if(XXX > now() AND next-timestamp < now(),"apple", "orange")

Perhaps you want to also look at the dedup command to let you only get the most recent event for some field.

See;

http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/CommonEvalFunctions

Some more explanation and a few sample events would let people here understand your problem better and be able to help you more.

/K

0 Karma
Reply

lukejadamec
Super Champion
‎08-08-2013 07:09 PM

Is your data showing up as a file's worth of data in one event? Or, is each line showing up as a single event with it's own timestamp?

0 Karma
Reply

linu1988
Champion
‎08-08-2013 02:43 PM

Finally one timestamp will be recognized. Better to do leave it as it is, the first timestamp field will be recorded as _time field. Then you can go for the field extraction on the UI, which will be easier for you. it will add those entries to props.conf, then you can refer them to do the manual extraction entry yourself.

http://docs.splunk.com/Documentation/Splunk/5.0.4/admin/Propsconf

0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...