Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help in handling unstructured data

gopee_splunk
New Member
‎12-24-2014 03:48 AM

I have an Log File as below

starting process 1 (each line is a sinle event in splunk))
processing steps
.
.
.
ending process 1

starting process2
processing steps
.
.
.
ending process 2

starting process3
processing steps
.
.
.
ending process 3

I would like to get data as below.Could you please help me?

Process1 start_time end_time
Process2 start_time end_time
Process3 start_time end_time

0 Karma
Reply

adityapavan18
Contributor
‎12-25-2014 10:58 PM

Try this way. create a field to extract processid.

Then try something like | stats latest(_time) as endtime earliest(_time) as starttime by processid.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎12-24-2014 07:12 PM

You should fix this as a data source, and parse this correctly as the data is indexed. That will save you time and headaches. You'll need to create a datasource for this via props..

... props.conf ..

      [mymultiline:sourcetype]
      SHOULD_LINEMERGE = True
      BREAK_ONLY_BEFORE = starting process \d+

Add that and restart splunk, add the data again.

BREAK_ONLY_BEFORE = is a regex that will match for the beginning of the event. Adjust this to what your the first line of your event really looks like.

You can find more details on the options for setting this at data ingestion time via the props.conf spec file at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf.

0 Karma
Reply

lguinn2
Legend
‎12-24-2014 05:45 PM

Try this

"starting process" OR "ending process"
| eval starttime=if(match(_raw,"starting process"),_time,null())
| eval endtime = if(match(_raw,"ending process"),_time,null())
| stats max(starttime) as "Start Time" max(endtime) as "End Time" by process_id
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...