Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to extract time from multi line log

ahmedhassanean
Explorer
‎02-21-2016 06:18 AM

Dears,

i have log that repeated every 10 min as below
16-02-08 Name Succ drop

04:26:50 Searches 12 0
04:27:00 Searches 17 0
04:27:10 Searches 12 0

firts line contain Date of the Day and each line contain different Timestamp
i need to know how to extract each line with exact time
i know that i can break events using Break_line option and also break multiple events using multikv
but i couldn't extract Correct time for every event So please advise

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vbumgarner
Contributor
‎03-12-2016 11:45 PM

That's super ugly. If the event really looks like that, and there's nothing you can do about it, then you could do something like this:

|stats count
| eval _raw="16-02-08 Name Succ drop\n04:26:50 Searches 12 0\n04:27:00 Searches 17 0\n04:27:10 Searches 12 0"
| rex "^(?<date>\d+-\d+-\d+) "
| eval line=split(_raw,"\n")
| mvexpand line
| rex field=line "^(?<time>\d+:\d+:\d+) "
| eval _time=strptime(date + " " + time, "%d-%m-%y %H:%M:%S")

It isn't going to be fast, though. You'd be far better off figuring out how to parse the logs line by line, if at all possible.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vbumgarner
Contributor
‎03-12-2016 11:45 PM

That's super ugly. If the event really looks like that, and there's nothing you can do about it, then you could do something like this:

|stats count
| eval _raw="16-02-08 Name Succ drop\n04:26:50 Searches 12 0\n04:27:00 Searches 17 0\n04:27:10 Searches 12 0"
| rex "^(?<date>\d+-\d+-\d+) "
| eval line=split(_raw,"\n")
| mvexpand line
| rex field=line "^(?<time>\d+:\d+:\d+) "
| eval _time=strptime(date + " " + time, "%d-%m-%y %H:%M:%S")

It isn't going to be fast, though. You'd be far better off figuring out how to parse the logs line by line, if at all possible.

0 Karma
Reply
Solved! Jump to solution

ahmedhassanean
Explorer
‎02-21-2016 01:18 PM

i would like to have each line as new event but with correct time and column name as below ( note : date is come in first line only in our case (16-02-08 ) and for each line there is different date and all this table is repeated every 2 min in log with header )

16-02-08 04:26:50 Searches 12 0
16-02-08 04:27:00 Searches 17 0
16-02-08 04:27:10 Searches 12 0

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-21-2016 12:56 PM

Not sure I understand. Can you describe your desired outcome?
Do you want these to be one event? Do you want each line to be one event, with all the lines that don't have a date in it using... which date?
Do you have the opportunity to change the application generating these logs?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...