Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Report after keyword

runiyal
Path Finder
‎09-11-2021 08:38 AM

I have following events in the log. Although there are lot of rows in it but I interested in these rows only and in extracting "time: and anything after "subject:"

 

 

---
2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: RE: Hello this is first email
---
2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: Re: Hello this is second email
---
2020.1.02 Windows Server 2016 2021-09-11T11:01:19,865 ERROR pool-11-thread-3 Problem creating batch from the downloaded mail with subject: Re: Hello this is third email
---

 

 

So need to a create a report like this -

TimeSubject
2016 2021-09-11 11:01:19RE: Hello this is first email
2016 2021-09-11 11:01:21Re: Hello this is second email
2016 2021-09-11 11:01:22Re: Hello this is third email

 

Thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2021 09:59 AM

This should get you started.

index=foo "Server 2016" "subject"
| rex "Server 2016 (?<Time>[^,]+).*subject: (?<Subject>.*)"
| replace "T" with " " in Time
| table Time Subject
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2021 09:59 AM

This should get you started.

index=foo "Server 2016" "subject"
| rex "Server 2016 (?<Time>[^,]+).*subject: (?<Subject>.*)"
| replace "T" with " " in Time
| table Time Subject
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

runiyal
Path Finder
‎09-11-2021 12:17 PM

Only command not working is -

| replace "T" with " " in Time

Still in the result I am seeing - 2021-09-11T11:01:19

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2021 04:44 PM

Try this instead of replace.

| rex field=Time mode=sed "s/T/ /"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

runiyal
Path Finder
‎09-11-2021 06:09 PM

Thanks a lot, it worked!

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-11-2021 09:47 AM

2016 doesn't appear to be part of a time - what is it about these events that would allow you to distinguish them from other events e.g.  are you interested in all events which contain the string

Problem creating batch from the downloaded mail with subject:
| rex "(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}).*\Problem creating batch from the downloaded mail with subject: (?<subject>.*)"

 

0 Karma
Reply
Solved! Jump to solution

runiyal
Path Finder
‎09-11-2021 10:52 AM

Yes,  anything thats after "interested in all events which contain the string".

When I search with -

 

index="foo" | rex "(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}).*\Problem creating batch from the downloaded mail with subject: (?<subject>.*)"

then I am getting following error -

Error in 'rex' command: Encountered the following error while compiling the regex '(?<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2},\d{3}).*\Problem creating batch from the downloaded mail with subject: (?<subject>.*)': Regex: unknown property name after \P or \p.

 

But if I put a space between *\ and Problem, then it is providing all the rows, even without the even I am looking for and not in a tabular form.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-11-2021 02:20 PM

Sorry, that was a typo, the \ before the P is not needed

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...