Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What is the best way to concatenate multiple separ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
packet_hunter
Contributor
01-29-2016
09:53 AM
Scenario background : I am searching email logs for all senders and recipients of specific subject. Each email is a chain of event logs that share a Unique ID (UID) for that specific email occurrence.
Here is my current code:
index=mail sourcetype=xemail
[search index=mail sourcetype=xemail subject = "Blah" |stats count by UID| fields UID]
|stats list(subject) as subj list(sender) as sender list(recipient) as recp values(time_hour) as Hour values(time_minute) as Minute values(time_second) as Second by UID
current result headers are:
UID Subj sender recp Hour Minute Second
I would like to combine the Hour Minute Second values into a new field called Time. One caveat is that there are multiple time_second values as the events are separate and correlated by UID. So ideally I would like the Time field to contain complete time information (HH:MM:SS) in each row for each email occurrence. In other words each email has multiple event times because of the multiple event logs, the email events chain.
I know there are a number of ways to do this but I am looking for the best way given my previous code.
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-29-2016
10:00 AM
Try something like this
index=mail sourcetype=xemail
[search index=mail sourcetype=xemail subject = "Blah" |stats count by UID| fields UID]
|stats list(subject) as subj list(sender) as sender list(recipient) as recp values(time_hour) as Hour values(time_minute) as Minute values(time_second) as Second by UID | eval Time=mvzip(mvzip(Hour,Minute,":"),Second,":") | fields - Hour Minute Second
Approach2 (should handle multiple seconds as well)
index=mail sourcetype=xemail
[search index=mail sourcetype=xemail subject = "Blah" |stats count by UID| fields UID] | eval Time=time_hour.":".time_minute.":".time_second |stats list(subject) as subj list(sender) as sender list(recipient) as recp values(Time) as Time by UID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-29-2016
10:00 AM
Try something like this
index=mail sourcetype=xemail
[search index=mail sourcetype=xemail subject = "Blah" |stats count by UID| fields UID]
|stats list(subject) as subj list(sender) as sender list(recipient) as recp values(time_hour) as Hour values(time_minute) as Minute values(time_second) as Second by UID | eval Time=mvzip(mvzip(Hour,Minute,":"),Second,":") | fields - Hour Minute Second
Approach2 (should handle multiple seconds as well)
index=mail sourcetype=xemail
[search index=mail sourcetype=xemail subject = "Blah" |stats count by UID| fields UID] | eval Time=time_hour.":".time_minute.":".time_second |stats list(subject) as subj list(sender) as sender list(recipient) as recp values(Time) as Time by UID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
packet_hunter
Contributor
01-29-2016
10:15 AM
Bravo, It works great!!!
However, I lose the additional time values (because there are multiple second values per email occurrence) but I can live with that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-29-2016
10:23 AM
Try the 2nd query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
packet_hunter
Contributor
01-29-2016
12:25 PM
even better! did you write an SPL book?
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
