How to extract the below mentioned fields from the...

Muni9066 · ‎08-09-2023

Hi Team,

I was trying to find out the workstations clock out of sync logs in splunk by using the below query. but I can not getting the expected logs. Also, could not able to see the previous time field in interesting fields but it was existing in raw message field. can someone help me out how to make this query efficient...?

Thanks in advance

Previous Time: ‎2023‎-‎08‎-‎09T09:18:00.490316500Z

gcusello · ‎08-09-2023

Hi @Muni9066 ,

after a stats command you have only the fields listed in the command itself, in your case you have only max(Previous Time) (it's always better to use the AS after a function in stats) and asset_id.

So the other used fields (lastTime, dest, should_timesync) aren't available.

Ciao.

Giuseppe

ITWhisperer · ‎08-09-2023

From what I understand, the "Previous Time" field has not been extracted from the raw logs?

If so, and you need help extracting the field, please share examples of the raw log event in a code block </> so we can assist you in extracting the field.

By the way, in order to do mathematical operations on fields, such as max(), the values should be numeric not strings, so you may need to also consider parsing the string to convert it to a numeric (strptime() function)

How to extract the below mentioned fields from the raw date to interesting fields to apt the efficient query

eval

regex

rex

search job inspector

stats

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk