Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extracting texts from a field

djoobbani
Path Finder
‎11-09-2023 03:18 PM

Hello there:

I have the following two events:

Event #1

source=foo1 

eventid=abc

message="some message dfsdfdfgfdggfg fgdfdgfdg "time":"2023-11-09T21:33:05.0738373837278Z, abcefg"

Event #2

source=foo2

eventid=abc

time: 2023-11-09T21:33:05Z

I need to related these two events based on their event_id and eventid values being the same.

I got help before to write that query:

index=foo (source=foo1 OR source=foo2) (eventid=* OR event_id=*)
| eval eventID = coalesce(eventid, event_id)
| stats values(*) as * by eventID

Now i need to expand the above query by extracting the timestamp from the message field from Event #1

and compare it against the time field from Event #2.

I basically will need to do the timestamp subtraction between the two fields to see if there time differences and by how (second, minutes,etc.)

Do u know how to do that?

Thanks!

 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎11-09-2023 05:01 PM

Hi @bowesmana .. just thought to tell you, the rex was missing the closing parenthesis, and your rex and strptime works nicely. 

Hi @djoobbani .. as said on the above reply, pls update us.. the time field is "_time" or you want to extract it from the msg. 

if you want to extract from the msg, then, assuming the 2nd msg also same like 1st msg.. try something like this.. 

| makeresults 
| eval msg1="some message dfsdfdfgfdggfg fgdfdgfdg \"time\":\"2023-11-09T21:33:05.0738373837278Z, abcefg"
| eval msg2="some message dfsdfdfgfdggfg fgdfdgfdg \"time\":\"2023-11-09T21:33:10.0738373837278Z, abcefg" 
| rex field=msg1 "time.:.(?<event1_time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})"
| rex field=msg2 "time.:.(?<event2_time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})"
| eval e1_t=strptime(event1_time, "%FT%T")
| eval e2_t=strptime(event2_time, "%FT%T")
| eval diff=e1_t-e2_t
| table event1_time event2_time diff

this gives the result of:

event1_time	           event2_time             diff
2023-11-09T21:33:05	   2023-11-09T21:33:10	   -5.000000

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-09-2023 04:12 PM

Does the Splunk default _time field represent the time in the data or is it a different time?

If it's a different time, then you need to extract those times (if not already extracted) and then just do the maths after the stats, e.g. something like

 

index=foo (source=foo1 OR source=foo2) (eventid=* OR event_id=*)
| eval eventID = coalesce(eventid, event_id)
| rex "time.:.(?<event1_time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})"
| rex "time:.(?<event2_time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})"
| stats values(*) as * by eventID
| eval e1_t=strptime(event1_time, "%FT%T")
| eval e2_t=strptime(event2_time, "%FT%T")
| eval diff=e1_t-e2_t

 

You may need to adjust the rex statements - this also ignores subsecond values - not sure what 13 decimal places is for in the first time - if you want to include those you'll have to change it a bit.

Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎11-09-2023 05:01 PM

Hi @bowesmana .. just thought to tell you, the rex was missing the closing parenthesis, and your rex and strptime works nicely. 

Hi @djoobbani .. as said on the above reply, pls update us.. the time field is "_time" or you want to extract it from the msg. 

if you want to extract from the msg, then, assuming the 2nd msg also same like 1st msg.. try something like this.. 

| makeresults 
| eval msg1="some message dfsdfdfgfdggfg fgdfdgfdg \"time\":\"2023-11-09T21:33:05.0738373837278Z, abcefg"
| eval msg2="some message dfsdfdfgfdggfg fgdfdgfdg \"time\":\"2023-11-09T21:33:10.0738373837278Z, abcefg" 
| rex field=msg1 "time.:.(?<event1_time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})"
| rex field=msg2 "time.:.(?<event2_time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})"
| eval e1_t=strptime(event1_time, "%FT%T")
| eval e2_t=strptime(event2_time, "%FT%T")
| eval diff=e1_t-e2_t
| table event1_time event2_time diff

this gives the result of:

event1_time	           event2_time             diff
2023-11-09T21:33:05	   2023-11-09T21:33:10	   -5.000000

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

djoobbani
Path Finder
‎11-09-2023 04:59 PM

Thanks @bowesmana 

Ok let's make it simpler, i have this event:

Event

source=abc

time1=2023-11-10T00:33:53Z

time2=2023-11-11T12:33:53Z

How would you construct the query so that time2 is subtracted from time1 and display the time difference in the result using rex?

Thanks!

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-09-2023 07:24 PM

So a single event with two timestamps is easy

| rex "time1=(?<t1>[^Z]*Z)"
| rex "time2=(?<t2>[^Z]*Z)"
| eval t1_t=strptime(t1, "%FT%TZ")
| eval t2_t=strptime(t2, "%FT%TZ")
| eval diff=t2_t-t1_t

You can optimise that to make a single rex if you can guarantee the ordering of your _raw data

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...