Solved: How to convert my time field for use in a timechar...

subtrakt · ‎02-23-2015

Any suggestions on how to timechart an unusual timestamp that comes inside the log entry.

These logs come in every night at midnight.

I want to run a scheduled search at 6pm that same day every day which charts the 'EXPIRES' field below as Time by CONTRACT

Here's the functional stats query:

index=contracts | rex "(?i)Contract (?P<CONTRACT>.*on+)(?P<EXPIRES>.*)" | stats count by CONTRACT, EXPIRES

log example:

Contract Honda Civic 144433 expires on Sun Feb 23 21:16:55 2015 GMT

Here's the EXPIRES field value that i would like to timechart:

Sun Nov 2 21:16:55 2014 GMT

Dysfunctional timechart search:

index=contracts | rex "(?i)contract (?P<CONTRACT>.*on+)(?P<EXPIRES>.*)" | timechart EXPIRES AS _time by CONTRACT

cpetterborg · ‎02-23-2015

Just to make a tweak to your regex:

rex "Contract\s+(?P<CONTRACT>.+\s+expires on\s+)(?P<EXPIRES>.+)"

This cleanup will not put "expires" in the CONTRACT, prevent misparsing of the CONTRACT name (if there is "on" in the name), and eliminate the space at the front of EXPIRES.

Question: what result do you get from your dysfunctional query?

View solution in original post

cpetterborg · ‎02-23-2015

Just to make a tweak to your regex:

rex "Contract\s+(?P<CONTRACT>.+\s+expires on\s+)(?P<EXPIRES>.+)"

This cleanup will not put "expires" in the CONTRACT, prevent misparsing of the CONTRACT name (if there is "on" in the name), and eliminate the space at the front of EXPIRES.

Question: what result do you get from your dysfunctional query?

How to convert my time field for use in a timechart search?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM