I have a date string that I want to use in a search, but I don't know how.
I have this text (called date_info ) as part of a log line:
Nov 12 13:36:09 server_01 server: 2019-11-12 13:36:09
Now date_info has some problems, namely the fact that it has the date repeated multiple times, but the one thing I am looking for is the date at the end, namely 2019-11-12 13:36:09 .
I am able to fetch that last part and convert it into a real date via the following query:
host=server00 date_info=* | eval date_str=substr(date_info, -19) | eval real_date=strptime(date_str,"%Y-%m-%d %H:%M:%S") | table real_date real_date_str field1 field2
The problem here is that I want to get all logs after real_date . I cannot use _time from Splunk because these logs were added manually in a batch process, so the date I can use is the one in text.
I have checked the Time Modifiers documentation but it is still unclear to me on how to use it.
How can I get all the logs after real_date ?
... View more
Thanks for the query! Could you explain me why my replace was incorrect and why using rex was better for my use case?
I don't quite understand what you mean with "full string replacements".
... View more
I have a log file where I have extracted some fields. I am trying to parse a field to get the numeric values it has using replace but it is not working and I don't understand why.
I have a long log file and one of the fields I extracted is called metrics_total and has the following format: "Total: __decimal_number__" , where decimal number is any floating point number.
My objective is to create an average of this field, but because I have the string "Total: " the avg command fails. So I am trying to remove it using replace . However I am failing.
This is how I am trying to use replace:
host=host00 OR host01 endpoint=* http_method=* http_status=200 metrics_total=* | replace "Total: " with "" in metrics_total | table http_method endpoint metrics_total
Where host , endpoint , http_method , http_status and metrics_total are extracted fields.
The issue here is that no matter what I do, nothing changes. This is what I get:
GET /product/bananas Total: 0.087
GET /product/apples Total: 0.003
GET /cart/checkout Total: 0.005
And this is what I actually want to achieve:
GET /product/bananas 0.087
GET /product/apples 0.003
GET /cart/checkout 0.005
Here I would get only the numbers instead of the whole Total: 0.087 string.
Going even further I would really like to have this field computed into an average. As in, the avg(metrics_total) for each endpoint grouped by http_method .
What is wrong in my usage of replace?
How can I compute the average metric for each endpoint grouped by http_method?
Is there an easier way to achieve my objective? (Am I complicating things too much?)
... View more