Hi,
I'll try to help but you need to be more specific on the output; have you copied/pasted the qry into Splunk? Also:
don't focus on my "ID" assumption, it really doesn't matter nor change the results. You will, however, need an ID to identify which row belongs to which "master" event. Also, grouping by the document ID will solve the other problem (first event fails without notice and a new event, successfull, is created later).
the query I sent you above, doesn't care if there are 2 or 2000 ModuleX rows, nor if there are multiple rows with the same ModuleName). If you look at the dummy event in the query, I have added two ModuleA rows with different times and StatusCode. Once you have all fields separated and identified, you can perform as many calculations as you want; in the below qry, as example, I have added the duration field for each ModuleX row.
| makeresults
| eval _raw =
"01,180905180210113,0
02,ABCXYZ,2018-09-05,18:18:56
03,0,0,0,0,0,1,1
04,Batch_Type,0
05,2018-09-05,18:18:56,2018-09-05,18:18:57,ModuleA,99,HOST
05,2018-09-05,18:18:58,2018-09-05,18:18:59,ModuleB,64,HOST
05,2018-09-05,18:19:31,2018-09-05,18:19:33,ModuleC,64,HOST
05,2018-09-05,18:19:51,2018-09-05,18:19:53,ModuleD,64,HOST
05,2018-09-05,18:19:55,2018-09-05,18:19:58,ModuleA,64,HOST"
`comment("REMOVE the above, it's just to create a dummy event, and fit your base search")`
| rex field=_raw "(?<Module05>05\,\d{4}-\d{2}-\d{2}.*)" max_match=10
| rex field=_raw "01,(?<ID>\d{15}),0"
| fields - _raw _time
| mvexpand Module05
| rex field=Module05 "Module(?<ModuleIdentifier>.)\," max_match=10
| rex field=Module05 "05,(?<StartDate>\d{4}-\d{2}-\d{2}),(?<StartTime>\d{2}:\d{2}:\d{2}),(?<FinishDate>\d{4}-\d{2}-\d{2}),(?<FinishTime>\d{2}:\d{2}:\d{2}),(?<NameOfModule>Module.),(?<StatusCode>\d{2}),(?<Host>.*)"
| fields - Module05
| eval Module{ModuleIdentifier}StartDate = StartDate
| eval Module{ModuleIdentifier}StartTime = StartTime
| eval Module{ModuleIdentifier}FinishDate = FinishDate
| eval Module{ModuleIdentifier}FinishTime = FinishTime
| eval Module{ModuleIdentifier}Duration = strptime(FinishTime, "%H:%M:%S") - strptime(StartTime, "%H:%M:%S")
| eval Module{ModuleIdentifier}StatusCode = StatusCode
| eval Module{ModuleIdentifier}Host = Host
| fields Module* ID
| fields - ModuleIdentifier
| stats values(*) as * by ID
By using multivalued fields, you are able to group all events related to the same ModuleX and then process them individually (ie: row by row) or as group (sum, ie).
Note: the query can be optimized; I'm keeping it simple (aka more steps than needed) to allow an easier reading for you
PaoloR
... View more