How to get the event details between two different...

karthi25 · ‎05-07-2018

I have a splunk log in the following format:

INFO  com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ORDER_JOB: **SUCCESSFULLY COMPLETED at END_TIME**: 2018-05-06T19:03:27.854Z

 INFO  com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: List size: 4688

 INFO  com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 4688 isDone Status true

 INFO  com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 3688 isDone Status false 

 INFO  com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 1000 isDone Status false 


 INFO  com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: QUERY FORMED: /services/data/v40.0/query?q=SELECT+Id,OpportunityId,MSISDN__c,CreatedDate,LastModifiedDate,Order_System__c,Approximate_Activation_Date__c,SIM_Number__c,IMEI__c,Status+FROM+ORDER+where+CreatedDate%3e2018-05-06T12:03:20.083Z+OR+LastModifiedDate%3e2018-05-06T12:03:20.083Z

 INFO  com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: lastQueriedDateStamp before query: 2018-05-06T12:03:20.083Z       

 INFO  com.tmobile.sfdc.reports.batch.reader.OrderItemReader - ORDER_JOB: new Job.. fetching orders        

 INFO  com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ORDER_JOB: **ACTIVE at START_TIME**: 2018-05-07T18:03:27.854Z     

  INFO  com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ORDER_JOB: **SUCCESSFULLY COMPLETED at END_TIME**: 2018-05-06T19:03:27.854Z

 INFO  com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: List size: 2688

 INFO  com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 2688 isDone Status true

 INFO  com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 1688 isDone Status false 

 INFO  com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 1000 isDone Status false     

 INFO  com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: QUERY FORMED: /services/data/v40.0/query?q=SELECT+Id,OpportunityId,MSISDN__c,CreatedDate,LastModifiedDate,Order_System__c,Approximate_Activation_Date__c,SIM_Number__c,IMEI__c,Status+FROM+ORDER+where+CreatedDate%3e2018-05-06T12:03:20.083Z+OR+LastModifiedDate%3e2018-05-06T12:03:20.083Z

 INFO  com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: lastQueriedDateStamp before query: 2018-05-07T12:03:20.083Z       

 INFO  com.tmobile.sfdc.reports.batch.reader.OrderItemReader - ORDER_JOB: new Job.. fetching orders        

 INFO  com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ***ORDER_JOB: ACTIVE at START_TIME***: 2018-05-07T18:03:27.854Z

All the above are separate events, I want to get a data between the active start time and successfully completed endtime. For Eg:

starttime                                  listsize     totalRecords      lastqueriedtimestamp                    enddate
2018-05-07T18:03:27.854Z   4688        4688                   2018-05-06T12:03:20.083Z           2018-05-06T19:03:27.854Z
2018-05-07T18:03:27.854Z   2688        2688                   2018-05-07T12:03:20.083Z           2018-05-06T19:03:27.854Z

I know the regex to get each value, but I want to know how to group all the separated events should fall under that two dates. Can anyone please help me to do it?

somesoni2 · ‎05-08-2018

Is there any unique ID to correlate the events, other than just the order of events? This seems like logs for a JOB, so can there be multiple jobs running simultaneously? If there are no unique correlation key and multiple job's logs are overlapping, it would be difficult to achieve what you want.

How to get the event details between two different dates?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!