Splunk is a wonderful tool but...it needs some study! Your task isn't very complex but I strongly suggest you to study some documentation or:
- case 1: you will cycle inside this query forever
- case 2: you will not achieve the result
- case 3: both 🙂
Back to the qry:
Be sure you're indexing your event correctly --> it starts with "01" and ends with n "05"; if, for example, you've indexed with a newline as linebreak, you can't process it in the right way. In your event, the linebreak is the "01"
If you don't need all the steps (01, 02, and so on) and you have a large dataset, a good approach is to create a summary index with one line event (ie: Module started at, ended at, duration and exit code); you can (read should!) put the rex extraction inside a props and perform it at index time or search time
you will need an unique ID per event; it's useful for later calculations. If your event doesn't have an ID, you can create it yourself using random function
Searching for Export AND 32 doesn't work because, with qry I sent you, you end with a multivalue field (one row for each event, all event steps inside the same row). Use this
index="main" sourcetype="event"
| rex max_match=100 field=_raw "\"05\"\,\"(? \d{4}-\d{2}-\d{2})\",\"(? \d{2}:\d{2}:\d{2})\",\"(? \d{4}-\d{2}-\d{2})\",\"(? \d{2}:\d{2}:\d{2})\",\"(? .?)\",\"(? .\d{1,3})\",\"(? . ?)\","
| fields Module*
| table Module*
and look how the event steps are grouped togheter; starting from there, you have multiple options (have a look at the docs, especially for handling multivalued fields); some random examples
Calculate the overall StartDate and EndDate + the last exit code
index="main" sourcetype="event"
| rex max_match=100 field=_raw "\"05\"\,\"(?<Module_StartDate>\d{4}-\d{2}-\d{2})\",\"(?<Module_StartTime>\d{2}:\d{2}:\d{2})\",\"(?<Module_EndDate>\d{4}-\d{2}-\d{2})\",\"(?<Module_EndTime>\d{2}:\d{2}:\d{2})\",\"(?<Module_Name>.*?)\",\"(?<Module_ExitCode>.\d{1,3})\",\"(?<Module_Host>.*?)\","
| fields Module*
| eval Task_Start = mvindex(Module_StartDate,0) . " " . mvindex(Module_StartTime,0)
| eval Task_End = mvindex(Module_EndDate,-1) . " " . mvindex(Module_EndTime,-1)
| eval Task_ExitCode = mvindex(Module_ExitCode,-1)
| table Task_Start, Task_End Task_ExitCode
Same as above but with an uniqueID and a distict of all ExitCodes
index="main" sourcetype="event"
| rex max_match=100 field=_raw "\"05\"\,\"(?<Module_StartDate>\d{4}-\d{2}-\d{2})\",\"(?<Module_StartTime>\d{2}:\d{2}:\d{2})\",\"(?<Module_EndDate>\d{4}-\d{2}-\d{2})\",\"(?<Module_EndTime>\d{2}:\d{2}:\d{2})\",\"(?<Module_Name>.*?)\",\"(?<Module_ExitCode>.\d{1,3})\",\"(?<Module_Host>.*?)\","
| fields Module*
| eval uniqueID = random()
| eval Task_Start = mvindex(Module_StartDate,0) . " " . mvindex(Module_StartTime,0)
| eval Task_End = mvindex(Module_EndDate,-1) . " " . mvindex(Module_EndTime,-1)
| eval Task_ExitCode = mvindex(Module_ExitCode,-1)
| stats values(Task_Start), values(Task_End) values(Module_ExitCode) by uniqueID
... View more