- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to group by date range from JSON Values?
augustocadini
New Member
04-01-2020
08:03 AM
I'm newer of splunk. On my log I've a JSON with two fields of interested: "initialCreationDate":"2020-03-02T00:00:00","finalCreationDate":"2020-04-01T11:53:29". My goal is take the count where the results have a range in between these fields. At this time I tried get only the first field and make a count using > at a String example. But it's not working.
index=foo | rex field=raw "REQ=(?<REQ>[^}]+})" | spath input=REQ | eval n=strptime(REQ.initialCreationDate,"%Y-%m-%dT%H:%M:%S") | stats count by n > strptime("2020-03-26T00:00:00").
Log sample:
[class] 2020-04-01 11:53:29,847 INFO [http-nio-80-exec-19] M=method, UA=ua, URI=/someUri, QS=limit=21&offset=0&sort=-createDate, RT=128, ET=100, ELAPSE-TIME=129, REQ={"userId":xxx,"initialCreationDate":"2020-03-02T00:00:00","finalCreationDate":"2020-04-01T11:53:29","source":"src","s":[0],"accounting":"C","consider":true}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
04-01-2020
04:28 PM
| makeresults
| eval _raw="[class] 2020-04-01 11:53:29,847 INFO [http-nio-80-exec-19] M=method, UA=ua, URI=/someUri, QS=limit=21&offset=0&sort=-createDate, RT=128, ET=100, ELAPSE-TIME=129, REQ={\"userId\":xxx,\"initialCreationDate\":\"2020-03-02T00:00:00\",\"finalCreationDate\":\"2020-04-01T11:53:29\",\"source\":\"src\",\"s\":[0],\"accounting\":\"C\",\"consider\":true}"
| rex max_match=0 "Date\":\"(?<Date>\S+?)\""
| eval date=mvmap(Date,strptime(Date,"%FT%T"))
| stats range(date) as duration
| eval duration=tostring(round(duration),"duration")
| rex field=duration mode=sed "s/(\d+)\+(\d\d):(\d\d):(\d\d)/\1d \2h \3m \4s/"
mvmap require splunk ver 8.
- first rex extracts two Date.
- These are multi value. I use mvmap strptime changes time strings to UNIX(epoch) time.
- stats range() calculates the difference between two times.
- tostring changes seconds to human readable.
- last rex displays the duration more readable
How about this?
