Splunk Search

How to filter out timestamp without miliseconds?

DPOIRE
Path Finder

We have 2 types of orders in the system, some are entered manually by phone and some are processed automatically as they are fed by other systems.
The way I can differentiate is by the order timestamps:
Phone orders do not contain miliseconds in the order timestamp (2022-09-16T17:07:41Z)
Orders filled automatically by other systems contain miliseconds (2022-09-16T16:22:28.573Z)
I am calculating the processing delays on these orders but I want to display the results on 2 rows:
1. Phone orders max delays
2. System orders max delays

Here is what I am using now:
MySearch  | rex field=_raw "(?ms)^(?:[^ \\n]* ){9}\"(?P<TradeDateTS>[^\"]+)" offset_field=_extracted_fields_bounds | rex field=_raw "^(?:[^ \\n]* ){7}\"(?P<StoreTS>[^\"]+)" offset_field=_extracted_fields_bounds0 | eval Delay = (strptime(StoreTS, "%Y-%m-%dT%H:%M:%S.%N"))-(strptime(TradeDateTS, "%Y-%m-%dT%H:%M:%S.%N"))
| stats max(Delay)

Note: the goal is not to add or remove the miliseconds information

 

 

Labels (3)
Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Differentiating the timestamps is just a matter of looking for those with a "." in them.

MySearch  | rex field=_raw "(?ms)^(?:[^ \\n]* ){9}\"(?P<TradeDateTS>[^\"]+)" 
| rex field=_raw "^(?:[^ \\n]* ){7}\"(?P<StoreTS>[^\"]+)" 
| eval Delay = (strptime(StoreTS, "%Y-%m-%dT%H:%M:%S.%N"))-(strptime(TradeDateTS, "%Y-%m-%dT%H:%M:%S.%N"))
| eval orderType=if(match(TradeDateTS, "\."), "auto", "phone")
| stats max(Delay) by orderType
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Differentiating the timestamps is just a matter of looking for those with a "." in them.

MySearch  | rex field=_raw "(?ms)^(?:[^ \\n]* ){9}\"(?P<TradeDateTS>[^\"]+)" 
| rex field=_raw "^(?:[^ \\n]* ){7}\"(?P<StoreTS>[^\"]+)" 
| eval Delay = (strptime(StoreTS, "%Y-%m-%dT%H:%M:%S.%N"))-(strptime(TradeDateTS, "%Y-%m-%dT%H:%M:%S.%N"))
| eval orderType=if(match(TradeDateTS, "\."), "auto", "phone")
| stats max(Delay) by orderType
---
If this reply helps you, Karma would be appreciated.

DPOIRE
Path Finder

Thanks!

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...