- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What is the best way to concatenate multiple separ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Scenario background : I am searching email logs for all senders and recipients of specific subject. Each email is a chain of event logs that share a Unique ID (UID) for that specific email occurrence.
Here is my current code:
index=mail sourcetype=xemail
[search index=mail sourcetype=xemail subject = "Blah" |stats count by UID| fields UID]
|stats list(subject) as subj list(sender) as sender list(recipient) as recp values(time_hour) as Hour values(time_minute) as Minute values(time_second) as Second by UID
current result headers are:
UID Subj sender recp Hour Minute Second
I would like to combine the Hour Minute Second values into a new field called Time. One caveat is that there are multiple time_second values as the events are separate and correlated by UID. So ideally I would like the Time field to contain complete time information (HH:MM:SS) in each row for each email occurrence. In other words each email has multiple event times because of the multiple event logs, the email events chain.
I know there are a number of ways to do this but I am looking for the best way given my previous code.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
index=mail sourcetype=xemail
[search index=mail sourcetype=xemail subject = "Blah" |stats count by UID| fields UID]
|stats list(subject) as subj list(sender) as sender list(recipient) as recp values(time_hour) as Hour values(time_minute) as Minute values(time_second) as Second by UID | eval Time=mvzip(mvzip(Hour,Minute,":"),Second,":") | fields - Hour Minute Second
Approach2 (should handle multiple seconds as well)
index=mail sourcetype=xemail
[search index=mail sourcetype=xemail subject = "Blah" |stats count by UID| fields UID] | eval Time=time_hour.":".time_minute.":".time_second |stats list(subject) as subj list(sender) as sender list(recipient) as recp values(Time) as Time by UID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
index=mail sourcetype=xemail
[search index=mail sourcetype=xemail subject = "Blah" |stats count by UID| fields UID]
|stats list(subject) as subj list(sender) as sender list(recipient) as recp values(time_hour) as Hour values(time_minute) as Minute values(time_second) as Second by UID | eval Time=mvzip(mvzip(Hour,Minute,":"),Second,":") | fields - Hour Minute Second
Approach2 (should handle multiple seconds as well)
index=mail sourcetype=xemail
[search index=mail sourcetype=xemail subject = "Blah" |stats count by UID| fields UID] | eval Time=time_hour.":".time_minute.":".time_second |stats list(subject) as subj list(sender) as sender list(recipient) as recp values(Time) as Time by UID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bravo, It works great!!!
However, I lose the additional time values (because there are multiple second values per email occurrence) but I can live with that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the 2nd query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
even better! did you write an SPL book?
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
