Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract the data between two time stamp fields using _time filed in Splunk logs?

satya671
Explorer
‎03-07-2022 03:10 AM

_time=time1, _raw=some contents

_time=time2, _raw=some contents

_time=time3, _raw=some contents

_time=time4, _raw=some contents

__time=time5, _raw=some contents

 

Now I want to extract the data between time2 and time3 using of _time filed , can anyone help with this?

Labels (2)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-07-2022 05:31 AM

How to extract the data depends on the format of the data in _raw.  You could use the extract, spath, xpath, or rex commands to do the work, depending on the nature of the data and what you wish to extract.  You also could use settings in the props.conf file to extract fields automatically.

Please tell us more about the use case so we can be more specific.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

satya671
Explorer
‎03-08-2022 04:46 AM

My use case here is to extract data from last successful run based on the filed _time in the splunk logs

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-08-2022 05:01 AM

Writing the same thing over and over again doesn't explain what you want to do. Give us example of your (anonymized) data, what you want as a result and what is the relation between source events and result.

0 Karma
Reply

satya671
Explorer
‎03-08-2022 05:11 AM

Here I'm trying to extract the some data from the _raw content, 

 

ex : for now data in splunk:  here the success run time will be _time2

_time=time2 , _raw=akjfkajdf4jlfadjf5453

_time=time1 , _raw=akjfkajdf6jlfadjf5457,

 

So, when i again hit the splunk the data available in splunk like below

_time=time3 , _raw=akjfkajdf4jlfadjf5453

_time=time4 , _raw=akjfkajdf6jlfadjf5457,

_time=time2 , _raw=akjfkajdf4jlfadjf5454

_time=time1 , _raw=akjfkajdf6jlfadjf5455,

 

so , using splunk api i need to get the data from last successful run to till now

so my results should contain from time2 to now

_time=time3 , _raw=akjfkajdf4jlfadjf5453

_time=time4 , _raw=akjfkajdf6jlfadjf5457,

 

 

hope this will clarify, lemme know

Need to integrate this logic in the spluk search query.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-08-2022 06:24 AM

I don't understand how you define success.

Is it that you run some external tool using API to run a search on splunk and want to return only the events that were ingested since last successful run of your tool?

If so, you simply use "earliest=something latest=something" conditions. You can specify the "somethings" as unix timestamps (number of seconds since epoch) for simplicity.

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...