Re: To pick the specific log time

surens · ‎12-15-2022

Hi all,

My lead give some task .To create a table, we have lot of source type ... source type have the different states which means up and down.the source type is up we get one log msg , suppose source type is down we get log each 5min once.....in one day we have more than 1also posible...now how I take the first down msg after up

gcusello · ‎12-15-2022

Hi @surens,

using eval, you have to define the status, something like this:

index=your_index
| eval status=case(state="message_up_1!,"up",state="message_up_2!,"up",state="message_up_3!,"up",state="message_down_1!,"down",state="message_down_2!,"down",state="message_down_3!,"down")
| table _time status

then you can also have statistics or time distributions.

Ciao.

Giuseppe

surens · ‎12-15-2022

It get latest time of the status only I want know the earliest time . Like 1 Down msg time after the up

gcusello · ‎12-15-2022

Hi @surens,

this is one of the few cases that I use transaction command:

index=your_index
| transaction startswith="state=message_up_1!" OR "state=message_up_2! OR "state=message_up_3" endswith="state=message_down_2!" OR "state=message_down_2!" OR state="message_down_3!"
| table _time other_fields

Ciao.

Giuseppe

How to pick the specific log time?

field extraction

subsearch

table

timechart

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?