Splunk Search

How to filter out timestamp without miliseconds?

DPOIRE
Path Finder

We have 2 types of orders in the system, some are entered manually by phone and some are processed automatically as they are fed by other systems.
The way I can differentiate is by the order timestamps:
Phone orders do not contain miliseconds in the order timestamp (2022-09-16T17:07:41Z)
Orders filled automatically by other systems contain miliseconds (2022-09-16T16:22:28.573Z)
I am calculating the processing delays on these orders but I want to display the results on 2 rows:
1. Phone orders max delays
2. System orders max delays

Here is what I am using now:
MySearch  | rex field=_raw "(?ms)^(?:[^ \\n]* ){9}\"(?P<TradeDateTS>[^\"]+)" offset_field=_extracted_fields_bounds | rex field=_raw "^(?:[^ \\n]* ){7}\"(?P<StoreTS>[^\"]+)" offset_field=_extracted_fields_bounds0 | eval Delay = (strptime(StoreTS, "%Y-%m-%dT%H:%M:%S.%N"))-(strptime(TradeDateTS, "%Y-%m-%dT%H:%M:%S.%N"))
| stats max(Delay)

Note: the goal is not to add or remove the miliseconds information

 

 

Labels (2)
Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Differentiating the timestamps is just a matter of looking for those with a "." in them.

MySearch  | rex field=_raw "(?ms)^(?:[^ \\n]* ){9}\"(?P<TradeDateTS>[^\"]+)" 
| rex field=_raw "^(?:[^ \\n]* ){7}\"(?P<StoreTS>[^\"]+)" 
| eval Delay = (strptime(StoreTS, "%Y-%m-%dT%H:%M:%S.%N"))-(strptime(TradeDateTS, "%Y-%m-%dT%H:%M:%S.%N"))
| eval orderType=if(match(TradeDateTS, "\."), "auto", "phone")
| stats max(Delay) by orderType
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Differentiating the timestamps is just a matter of looking for those with a "." in them.

MySearch  | rex field=_raw "(?ms)^(?:[^ \\n]* ){9}\"(?P<TradeDateTS>[^\"]+)" 
| rex field=_raw "^(?:[^ \\n]* ){7}\"(?P<StoreTS>[^\"]+)" 
| eval Delay = (strptime(StoreTS, "%Y-%m-%dT%H:%M:%S.%N"))-(strptime(TradeDateTS, "%Y-%m-%dT%H:%M:%S.%N"))
| eval orderType=if(match(TradeDateTS, "\."), "auto", "phone")
| stats max(Delay) by orderType
---
If this reply helps you, Karma would be appreciated.

DPOIRE
Path Finder

Thanks!

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...