Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extracting texts from a field

djoobbani
Path Finder
‎11-09-2023 03:18 PM

Hello there:

I have the following two events:

Event #1

source=foo1 

eventid=abc

message="some message dfsdfdfgfdggfg fgdfdgfdg "time":"2023-11-09T21:33:05.0738373837278Z, abcefg"

Event #2

source=foo2

eventid=abc

time: 2023-11-09T21:33:05Z

I need to related these two events based on their event_id and eventid values being the same.

I got help before to write that query:

index=foo (source=foo1 OR source=foo2) (eventid=* OR event_id=*)
| eval eventID = coalesce(eventid, event_id)
| stats values(*) as * by eventID

Now i need to expand the above query by extracting the timestamp from the message field from Event #1

and compare it against the time field from Event #2.

I basically will need to do the timestamp subtraction between the two fields to see if there time differences and by how (second, minutes,etc.)

Do u know how to do that?

Thanks!

 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎11-09-2023 05:01 PM

Hi @bowesmana .. just thought to tell you, the rex was missing the closing parenthesis, and your rex and strptime works nicely. 

Hi @djoobbani .. as said on the above reply, pls update us.. the time field is "_time" or you want to extract it from the msg. 

if you want to extract from the msg, then, assuming the 2nd msg also same like 1st msg.. try something like this.. 

| makeresults 
| eval msg1="some message dfsdfdfgfdggfg fgdfdgfdg \"time\":\"2023-11-09T21:33:05.0738373837278Z, abcefg"
| eval msg2="some message dfsdfdfgfdggfg fgdfdgfdg \"time\":\"2023-11-09T21:33:10.0738373837278Z, abcefg" 
| rex field=msg1 "time.:.(?<event1_time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})"
| rex field=msg2 "time.:.(?<event2_time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})"
| eval e1_t=strptime(event1_time, "%FT%T")
| eval e2_t=strptime(event2_time, "%FT%T")
| eval diff=e1_t-e2_t
| table event1_time event2_time diff

this gives the result of:

event1_time	           event2_time             diff
2023-11-09T21:33:05	   2023-11-09T21:33:10	   -5.000000

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-09-2023 04:12 PM

Does the Splunk default _time field represent the time in the data or is it a different time?

If it's a different time, then you need to extract those times (if not already extracted) and then just do the maths after the stats, e.g. something like

 

index=foo (source=foo1 OR source=foo2) (eventid=* OR event_id=*)
| eval eventID = coalesce(eventid, event_id)
| rex "time.:.(?<event1_time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})"
| rex "time:.(?<event2_time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})"
| stats values(*) as * by eventID
| eval e1_t=strptime(event1_time, "%FT%T")
| eval e2_t=strptime(event2_time, "%FT%T")
| eval diff=e1_t-e2_t

 

You may need to adjust the rex statements - this also ignores subsecond values - not sure what 13 decimal places is for in the first time - if you want to include those you'll have to change it a bit.

Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎11-09-2023 05:01 PM

Hi @bowesmana .. just thought to tell you, the rex was missing the closing parenthesis, and your rex and strptime works nicely. 

Hi @djoobbani .. as said on the above reply, pls update us.. the time field is "_time" or you want to extract it from the msg. 

if you want to extract from the msg, then, assuming the 2nd msg also same like 1st msg.. try something like this.. 

| makeresults 
| eval msg1="some message dfsdfdfgfdggfg fgdfdgfdg \"time\":\"2023-11-09T21:33:05.0738373837278Z, abcefg"
| eval msg2="some message dfsdfdfgfdggfg fgdfdgfdg \"time\":\"2023-11-09T21:33:10.0738373837278Z, abcefg" 
| rex field=msg1 "time.:.(?<event1_time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})"
| rex field=msg2 "time.:.(?<event2_time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})"
| eval e1_t=strptime(event1_time, "%FT%T")
| eval e2_t=strptime(event2_time, "%FT%T")
| eval diff=e1_t-e2_t
| table event1_time event2_time diff

this gives the result of:

event1_time	           event2_time             diff
2023-11-09T21:33:05	   2023-11-09T21:33:10	   -5.000000

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

djoobbani
Path Finder
‎11-09-2023 04:59 PM

Thanks @bowesmana 

Ok let's make it simpler, i have this event:

Event

source=abc

time1=2023-11-10T00:33:53Z

time2=2023-11-11T12:33:53Z

How would you construct the query so that time2 is subtracted from time1 and display the time difference in the result using rex?

Thanks!

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-09-2023 07:24 PM

So a single event with two timestamps is easy

| rex "time1=(?<t1>[^Z]*Z)"
| rex "time2=(?<t2>[^Z]*Z)"
| eval t1_t=strptime(t1, "%FT%TZ")
| eval t2_t=strptime(t2, "%FT%TZ")
| eval diff=t2_t-t1_t

You can optimise that to make a single rex if you can guarantee the ordering of your _raw data

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...