Hi-
I have the sample logs below and I want the output to be in this format.
1st Columns = BatchJobsName
2nd Col = Date
3rd Col = Start Time
4th Col = End Time
5th Col = Results
where: The BatchJobsName column is the "emailJustifications" or the "sendBelga" in the sample logs below;
The Date is the date found in "fired at:" in the sample logs below;
The Start Time is the time found in "fired (by trigger DEFAULT.emailJustificationsSimpleTrigger) at:";
The End Time is the time found in "Job DEFAULT.emailJustificationsJobLauncher fired at:";
The Result is the "result="
SAMPLE LOGS:
2014-09-05 23:57:24,644 INFO org.quartz.plugins.history.LoggingJobHistoryPlugin Job DEFAULT.emailJustificationsJobLauncher fired at: 05/09/2014 23:59:24 result=OK
2014-09-05 23:57:24,531 INFO org.quartz.plugins.history.LoggingJobHistoryPlugin Job DEFAULT.emailJustificationsJobLauncher fired (by trigger DEFAULT.emailJustificationsSimpleTrigger) at: 23:57:19 09/05/2014
2014-09-05 23:55:00,723 INFO org.quartz.plugins.history.LoggingJobHistoryPlugin Job DEFAULT.sendBelgaJobLauncherUST fired at: 05/09/2014 23:55:00 result=ERROR
2014-09-05 23:55:00,712 INFO org.quartz.plugins.history.LoggingJobHistoryPlugin Job DEFAULT.sendBelgaLauncherUST fired (by trigger DEFAULT.sendBelgaTriggerUST) at: 21:55:00 09/05/2014
Hi isaias.Garcia,
based on the provided examples, try something like this:
your base search here
| rex "(?<=DEFAULT\.)(?<BatchJobsName>.+)(?=(JobLauncher)|(Launcher))"
| rex "(?<=fired\sat\:\s\s)(?<Date>.+?)(?=\s)"
| rex "(?<=at\:\s\s)(?<StartTime>.+?)(?=\s(\d+\/){2}\d+)"
| rex "(?<=(\d{2}\/){2}\d{4}\s)(?<EndTime>.+?)(?=\s)"
each regex
will provide a new field which can be used in further Splunk commands. Regarding the result=OK
or result=ERROR
, this field should be extracted by Splunk already because it is key value based.
As soon as the result matches your needs, setup auto field extraction based on the regex - see the docs about Add fields at search time
hope that helps ... and yes there are probably better regex, but this should get you started.
cheers, MuS
updated some regex...