Splunk Search

Splunk Report after keyword

runiyal
Path Finder

I have following events in the log. Although there are lot of rows in it but I interested in these rows only and in extracting "time: and anything after "subject:"

 

 

---
2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: RE: Hello this is first email
---
2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: Re: Hello this is second email
---
2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: Re: Hello this is third email
---

 

 

So need to a create a report like this -

TimeSubject
2016 2021-09-11 11:01:19RE: Hello this is first email
2016 2021-09-11 11:01:21Re: Hello this is second email
2016 2021-09-11 11:01:22Re: Hello this is third email

 

Thanks!

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

This should get you started.

index=foo "Server 2016" "subject"
| rex "Server 2016 (?<Time>[^,]+).*subject: (?<Subject>.*)"
| replace "T" with " " in Time
| table Time Subject
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

This should get you started.

index=foo "Server 2016" "subject"
| rex "Server 2016 (?<Time>[^,]+).*subject: (?<Subject>.*)"
| replace "T" with " " in Time
| table Time Subject
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

runiyal
Path Finder

Only command not working is -

| replace "T" with " " in Time

Still in the result I am seeing - 2021-09-11T11:01:19

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this instead of replace.

| rex field=Time mode=sed "s/T/ /"

 

---
If this reply helps you, an upvote would be appreciated.
0 Karma

runiyal
Path Finder

Thanks a lot, it worked!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

2016 doesn't appear to be part of a time - what is it about these events that would allow you to distinguish them from other events e.g.  are you interested in all events which contain the string

Problem creating batch from the downloaded mail with subject:
| rex "(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}).*\Problem creating batch from the downloaded mail with subject: (?<subject>.*)"

 

0 Karma

runiyal
Path Finder

Yes,  anything thats after "interested in all events which contain the string".

When I search with -

 

index="foo" | rex "(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}).*\Problem creating batch from the downloaded mail with subject: (?<subject>.*)"

then I am getting following error -

Error in 'rex' command: Encountered the following error while compiling the regex '(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}).*\Problem creating batch from the downloaded mail with subject: (?<subject>.*)': Regex: unknown property name after \P or \p.

 

But if I put a space between *\ and Problem, then it is providing all the rows, even without the even I am looking for and not in a tabular form.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Sorry, that was a typo, the \ before the P is not needed

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!