Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to extract time from multi line log

ahmedhassanean
Explorer
‎02-21-2016 06:18 AM

Dears,

i have log that repeated every 10 min as below
16-02-08 Name Succ drop

04:26:50 Searches 12 0
04:27:00 Searches 17 0
04:27:10 Searches 12 0

firts line contain Date of the Day and each line contain different Timestamp
i need to know how to extract each line with exact time
i know that i can break events using Break_line option and also break multiple events using multikv
but i couldn't extract Correct time for every event So please advise

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vbumgarner
Contributor
‎03-12-2016 11:45 PM

That's super ugly. If the event really looks like that, and there's nothing you can do about it, then you could do something like this:

|stats count
| eval _raw="16-02-08 Name Succ drop\n04:26:50 Searches 12 0\n04:27:00 Searches 17 0\n04:27:10 Searches 12 0"
| rex "^(?<date>\d+-\d+-\d+) "
| eval line=split(_raw,"\n")
| mvexpand line
| rex field=line "^(?<time>\d+:\d+:\d+) "
| eval _time=strptime(date + " " + time, "%d-%m-%y %H:%M:%S")

It isn't going to be fast, though. You'd be far better off figuring out how to parse the logs line by line, if at all possible.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vbumgarner
Contributor
‎03-12-2016 11:45 PM

That's super ugly. If the event really looks like that, and there's nothing you can do about it, then you could do something like this:

|stats count
| eval _raw="16-02-08 Name Succ drop\n04:26:50 Searches 12 0\n04:27:00 Searches 17 0\n04:27:10 Searches 12 0"
| rex "^(?<date>\d+-\d+-\d+) "
| eval line=split(_raw,"\n")
| mvexpand line
| rex field=line "^(?<time>\d+:\d+:\d+) "
| eval _time=strptime(date + " " + time, "%d-%m-%y %H:%M:%S")

It isn't going to be fast, though. You'd be far better off figuring out how to parse the logs line by line, if at all possible.

0 Karma
Reply
Solved! Jump to solution

ahmedhassanean
Explorer
‎02-21-2016 01:18 PM

i would like to have each line as new event but with correct time and column name as below ( note : date is come in first line only in our case (16-02-08 ) and for each line there is different date and all this table is repeated every 2 min in log with header )

16-02-08 04:26:50 Searches 12 0
16-02-08 04:27:00 Searches 17 0
16-02-08 04:27:10 Searches 12 0

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-21-2016 12:56 PM

Not sure I understand. Can you describe your desired outcome?
Do you want these to be one event? Do you want each line to be one event, with all the lines that don't have a date in it using... which date?
Do you have the opportunity to change the application generating these logs?

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top