Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to extract first and last timestamp value from below data and subtract them to get time difference in seconds?

anna
Explorer
‎08-03-2022 05:10 AM

 Transaction_Log__c: {"message":"Entering doPost method","level":"INFO","loggerName":"StoreManagementAPI","timestamp":"2022-08-03T11:45:25.880Z"} {"message":"Source System is : null","level":"DEBUG","loggerName":"StoreManagementAPI","timestamp":"2022-08-03T11:45:25.886Z"} {"message":"Request Body : {\"data\":{\"dealerCode\":\"FARC\",\"dealerType\":\"Premise\"}}","level":"DEBUG","loggerName":"StoreManagementAPI","timestamp":"2022-08-03T11:45:25.888Z"} {"message":"Request Type/Parameters are : {}","level":"DEBUG","loggerName":"StoreManagementAPI","timestamp":"2022-08-03T11:45:25.889Z"} {"message":"Deserializing the reqBody","level":"INFO","loggerName":"StoreManagementAPI","timestamp":"2022-08-03T11:45:25.890Z"} {"message":"Entering getSuccessResponse method and parameter are -->TLS_Store__c:{Id=a7O5L000000000zUAA, Name=TELSTRA SHOP BONDI JUNCTION, TLS_DeliveryAddress__c=a2r5L000000YybMQAS, TLS_CompanyName__c=TRS SHOPS, TLS_PremiseCode__c=FARC, TLS_DealerChannel__c=TSN, TLS_DealerStatus__c=Active, TLS_HROrgUnitCode__c=90000561, TLS_DealerABN__c=33051775556, TLS_DealerACN__c=51775556, TLS_DealerEmail__c=bondijunction@team.telstra.com, TLS_DealerPhone__c=1800 723 917, TLS_DealerType__c=Premise, TLS_DealerParent__c=a7O5L000000075BUAQ, TLS_PhysicalAddress__c=a2r5L000000YybMQAS}","level":"INFO","loggerName":"StoreManagementAPI_ResponseMessages","timestamp":"2022-08-03T11:45:25.928Z"} {"message":"Exiting getSuccessResponse method","level":"INFO","loggerName":"StoreManagementAPI_ResponseMessages","timestamp":"2022-08-03T11:45:25.930Z"} {"message":"Exiting Post method","level":"INFO","loggerName":"StoreManagementAPI","timestamp":"2022-08-03T11:45:25.931Z"}

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2022 06:46 AM

Use the rex command to extract the timestamps.  The max_match=0 option tells rex to extract all matches.  The matches will be put into a multi-value field so we'll use mvindex(0) and mvindex(-1) to get the first and last, respectively.  Then we have to convert the timestamps into epoch (integer) format before the difference can be calculated.  Try it out in this run-anywhere example:

| makeresults | eval _raw= "Transaction_Log__c: {\"message\":\"Entering doPost method\",\"level\":\"INFO\",\"loggerName\":\"StoreManagementAPI\",\"timestamp\":\"2022-08-03T11:45:25.880Z\"} {\"message\":\"Source System is : null\",\"level\":\"DEBUG\",\"loggerName\":\"StoreManagementAPI\",\"timestamp\":\"2022-08-03T11:45:25.886Z\"} {\"message\":\"Request Body : {\"data\":{\"dealerCode\":\"FARC\",\"dealerType\":\"Premise\"}}\",\"level\":\"DEBUG\",\"loggerName\":\"StoreManagementAPI\",\"timestamp\":\"2022-08-03T11:45:25.888Z\"} {\"message\":\"Request Type/Parameters are : {}\",\"level\":\"DEBUG\",\"loggerName\":\"StoreManagementAPI\",\"timestamp\":\"2022-08-03T11:45:25.889Z\"} {\"message\":\"Deserializing the reqBody\",\"level\":\"INFO\",\"loggerName\":\"StoreManagementAPI\",\"timestamp\":\"2022-08-03T11:45:25.890Z\"} {\"message\":\"Entering getSuccessResponse method and parameter are -->TLS_Store__c:{Id=a7O5L000000000zUAA, Name=TELSTRA SHOP BONDI JUNCTION, TLS_DeliveryAddress__c=a2r5L000000YybMQAS, TLS_CompanyName__c=TRS SHOPS, TLS_PremiseCode__c=FARC, TLS_DealerChannel__c=TSN, TLS_DealerStatus__c=Active, TLS_HROrgUnitCode__c=90000561, TLS_DealerABN__c=33051775556, TLS_DealerACN__c=51775556, TLS_DealerEmail__c=bondijunction@team.telstra.com, TLS_DealerPhone__c=1800 723 917, TLS_DealerType__c=Premise, TLS_DealerParent__c=a7O5L000000075BUAQ, TLS_PhysicalAddress__c=a2r5L000000YybMQAS}\",\"level\":\"INFO\",\"loggerName\":\"StoreManagementAPI_ResponseMessages\",\"timestamp\":\"2022-08-03T11:45:25.928Z\"} {\"message\":\"Exiting getSuccessResponse method\",\"level\":\"INFO\",\"loggerName\":\"StoreManagementAPI_ResponseMessages\",\"timestamp\":\"2022-08-03T11:45:25.930Z\"} {\"message\":\"Exiting Post method\",\"level\":\"INFO\",\"loggerName\":\"StoreManagementAPI\",\"timestamp\":\"2022-08-03T11:45:25.931Z\"}"
```The above just creates test data ```
| rex max_match=0 "timestamp[[:punct:]]+(?<timestamp>[^\\\"]+)"
| eval first_timestamp=mvindex(timestamp,0), last_timestamp=mvindex(timestamp, -1)
| eval first_ts = strptime(first_timestamp, "%Y-%m-%dT%H:%M:%S.%3N%Z"), last_ts = strptime(last_timestamp, "%Y-%m-%dT%H:%M:%S.%3N%Z")
| eval diff = last_ts - first_ts
| table timestamp, first_timestamp, last_timestamp, first_ts, last_ts, diff

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2022 06:46 AM

Use the rex command to extract the timestamps.  The max_match=0 option tells rex to extract all matches.  The matches will be put into a multi-value field so we'll use mvindex(0) and mvindex(-1) to get the first and last, respectively.  Then we have to convert the timestamps into epoch (integer) format before the difference can be calculated.  Try it out in this run-anywhere example:

| makeresults | eval _raw= "Transaction_Log__c: {\"message\":\"Entering doPost method\",\"level\":\"INFO\",\"loggerName\":\"StoreManagementAPI\",\"timestamp\":\"2022-08-03T11:45:25.880Z\"} {\"message\":\"Source System is : null\",\"level\":\"DEBUG\",\"loggerName\":\"StoreManagementAPI\",\"timestamp\":\"2022-08-03T11:45:25.886Z\"} {\"message\":\"Request Body : {\"data\":{\"dealerCode\":\"FARC\",\"dealerType\":\"Premise\"}}\",\"level\":\"DEBUG\",\"loggerName\":\"StoreManagementAPI\",\"timestamp\":\"2022-08-03T11:45:25.888Z\"} {\"message\":\"Request Type/Parameters are : {}\",\"level\":\"DEBUG\",\"loggerName\":\"StoreManagementAPI\",\"timestamp\":\"2022-08-03T11:45:25.889Z\"} {\"message\":\"Deserializing the reqBody\",\"level\":\"INFO\",\"loggerName\":\"StoreManagementAPI\",\"timestamp\":\"2022-08-03T11:45:25.890Z\"} {\"message\":\"Entering getSuccessResponse method and parameter are -->TLS_Store__c:{Id=a7O5L000000000zUAA, Name=TELSTRA SHOP BONDI JUNCTION, TLS_DeliveryAddress__c=a2r5L000000YybMQAS, TLS_CompanyName__c=TRS SHOPS, TLS_PremiseCode__c=FARC, TLS_DealerChannel__c=TSN, TLS_DealerStatus__c=Active, TLS_HROrgUnitCode__c=90000561, TLS_DealerABN__c=33051775556, TLS_DealerACN__c=51775556, TLS_DealerEmail__c=bondijunction@team.telstra.com, TLS_DealerPhone__c=1800 723 917, TLS_DealerType__c=Premise, TLS_DealerParent__c=a7O5L000000075BUAQ, TLS_PhysicalAddress__c=a2r5L000000YybMQAS}\",\"level\":\"INFO\",\"loggerName\":\"StoreManagementAPI_ResponseMessages\",\"timestamp\":\"2022-08-03T11:45:25.928Z\"} {\"message\":\"Exiting getSuccessResponse method\",\"level\":\"INFO\",\"loggerName\":\"StoreManagementAPI_ResponseMessages\",\"timestamp\":\"2022-08-03T11:45:25.930Z\"} {\"message\":\"Exiting Post method\",\"level\":\"INFO\",\"loggerName\":\"StoreManagementAPI\",\"timestamp\":\"2022-08-03T11:45:25.931Z\"}"
```The above just creates test data ```
| rex max_match=0 "timestamp[[:punct:]]+(?<timestamp>[^\\\"]+)"
| eval first_timestamp=mvindex(timestamp,0), last_timestamp=mvindex(timestamp, -1)
| eval first_ts = strptime(first_timestamp, "%Y-%m-%dT%H:%M:%S.%3N%Z"), last_ts = strptime(last_timestamp, "%Y-%m-%dT%H:%M:%S.%3N%Z")
| eval diff = last_ts - first_ts
| table timestamp, first_timestamp, last_timestamp, first_ts, last_ts, diff

 

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...