Solved: How to display the time of one search in the final...

Vignesh5r · ‎08-05-2016

Below is my search.

What I need is to have the time related to that error also saved(Timen) and then shown in the final result which has result of another subsearch.

When I run it, I am getting the value of only FIELDNAME1 and not Timen.

index!=_internal "error" " |eval Timen=strftime(_time,"%m/%d/%y %T")|   accum Timen|                  rex "(?i)text>(?P[^<]+)" | dedup FIELDNAME | map search="search index!=_internal $FIELDNAME$" | search "error1 " |rex "(?i)text1=(?P[^]]+)" | rex "(?i)text2=(?P[^]]+)" |  eval Time=strftime(_time,"%m/%d/%y %T")| table FIELDNAME1  Time Timen

somesoni2 · ‎08-05-2016

Give this a try

index!=_internal "error" |eval Timen=strftime(_time,"%m/%d/%y %T")| rex "(?i)text\>(?P<FIELDNAME>[^\<]+)" | dedup FIELDNAME | table Timen FIELDNAME | map search="search index!=_internal $FIELDNAME$ | eval Timen=\"$Timen$\"" | search "error1 " |rex "(?i)text1=(?P<FIELDNAME1>[^\]]+)" | eval Time=strftime(_time,"%m/%d/%y %T")| table FIELDNAME1 Time Timen

View solution in original post

somesoni2 · ‎08-05-2016

Give this a try

index!=_internal "error" |eval Timen=strftime(_time,"%m/%d/%y %T")| rex "(?i)text\>(?P<FIELDNAME>[^\<]+)" | dedup FIELDNAME | table Timen FIELDNAME | map search="search index!=_internal $FIELDNAME$ | eval Timen=\"$Timen$\"" | search "error1 " |rex "(?i)text1=(?P<FIELDNAME1>[^\]]+)" | eval Time=strftime(_time,"%m/%d/%y %T")| table FIELDNAME1 Time Timen

Vignesh5r · ‎08-05-2016

One more question. What if i have to display the FIELDNAME along with Timen?

Vignesh5r · ‎08-05-2016

It doesnt work. It displays $Timen and not the value

somesoni2 · ‎08-05-2016

Oops, missed a $ sign there. Try now.

Vignesh5r · ‎08-05-2016

Perfect. It works. Thanks a lot for your kind help on this!!!

Vignesh5r · ‎08-05-2016

Okay i found that this doesnt actually provide the result i am expecting. Let me correct my quetion. I need to know the time of the exact FIELDNAME which matches with the error1 field. (There can be multiple results for that fieldname initially and the timen is showing the latest one for that)

somesoni2 · ‎08-05-2016

The field names are stripped off in the question, making is difficult to understand. Apart from correcting that, could you also, describe your requirement here in little more details?

Vignesh5r · ‎08-05-2016

 index!=_internal "error" " |eval Timen=strftime(_time,"%m/%d/%y %T")| rex "(?i)text>(?P[^<]+)" | dedup FIELDNAME | map search="search index!=_internal $FIELDNAME$" | search "error1 " |rex "(?i)text1=(?P[^]]+)" |   eval Time=strftime(_time,"%m/%d/%y %T")| table FIELDNAME1  Time Timen

I want to display the field Timen in my results. Currently it displays only FIELDNAME1 and Time and not Timen

How to display the time of one search in the final result when we have another subsearch inside of it?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes