Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Grouping logs by tranId, date and time

msarkaus
Path Finder
‎10-02-2024 10:07 AM

Hello,

I'm attempting to display a group of logs by the tranId. We log multiple user actions under a single tranId.  I'm attempting to group all of the logs for a single tranId in my dashboard.

I think I figured out how I want to display the logs, but I can't get the datetime format to correctly display.

index blah blah

| eval msgTxt=substr(msgTxt, 1, 141) 
| stats list(_time) as DateTime list(msgTxt) as Message list(polNbr) as QuoteId by tranId
| eval time=strftime(_time," %m-%d-%Y %I:%M:%S %p")
| streamstats count as log by tranId
| eval tranId=if(log=1,tranId,"")
| fields - log

msarkaus_0-1727888678654.png

 

Please help with displaying date and time format.

Thanks 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-02-2024 10:24 AM

Hi @msarkaus ,

after a stats command, you have only the fields in the stats command, so you don't have yet the _time field,

in affirion, if you use the list option in the stats command you probably have too many values, so try values instead list,

try something like this:

index blah blah
| eval msgTxt=substr(msgTxt, 1, 141) 
| stats 
     vaues(_time) as DateTime 
     values(msgTxt) as Message 
     values(polNbr) as QuoteId 
     BY tranId
| eval DateTime=strftime(DateTime , "%m-%d-%Y %I:%M:%S %p")
| streamstats count as log by tranId
| eval tranId=if(log=1,tranId,"")
| fields - log

Ciao.

Giuseppe

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-02-2024 10:24 AM

Hi @msarkaus ,

after a stats command, you have only the fields in the stats command, so you don't have yet the _time field,

in affirion, if you use the list option in the stats command you probably have too many values, so try values instead list,

try something like this:

index blah blah
| eval msgTxt=substr(msgTxt, 1, 141) 
| stats 
     vaues(_time) as DateTime 
     values(msgTxt) as Message 
     values(polNbr) as QuoteId 
     BY tranId
| eval DateTime=strftime(DateTime , "%m-%d-%Y %I:%M:%S %p")
| streamstats count as log by tranId
| eval tranId=if(log=1,tranId,"")
| fields - log

Ciao.

Giuseppe

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-07-2024 07:06 AM

Hi @msarkaus ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...