Like this many events are there. I just need host and TIme to be dowloaded as a report . please help me
TIme
12/6/16
9:42:40.513 AM
Event
[2016-12-06 09:42:40,513yyyy/MM/dd HH:mm:ss,UTC] _alert_time="2016/12/06 08:30:00 UTC", __sev="LOW", __ns="Storage", __app="ONTAP.HEALTH.Multipath", __uniqID=9bdeaf064afffbc8b17016cf1c09af9c, _@="storage-alerts@yahoo-inc.com", _threshold_name="ONTAP.HEALTH.Multipath", host="nfsarchive16801.mail.gq1.yahoo.com", __description="Storage configuration is Mixed-Path.Loop Details::missing loop:3b:shelf:2
missing loop:1d:shelf:5
missing loop:3d:shelf:4", __status="1", __url="http://yamas.ops.yahoo.com:9999/#/ws/y63tw8/oxc", __url="http://yamas.ops.yahoo.com:9999/v1/graph/new?start=1481005800&end=1481013000&_t.host=nfsarchive16801...", __custom_text="please check and fix"
host = alrcons-1.yms.gq1.yahoo.com
source = /home/y/logs/alerts_splunk/alerts-email.log
sourcetype = alerts
Since host is a metadata index-time extracted field for any sourcetype, you will need to provide a separate field extraction name. Since Splunk is case sensitive for Field names, I am using Host as the extracted field name in following options:
Option 1) Use Extract New Fields option from your Search results. Interactive Field Extractor will give you options to use Splunks regular expression or define your own. You can define your own extraction as
host\=\"(?P<Host>[^,]+)\"\,
Option 2) Use inline rex command to extract host. (PS: rex command should only be used for initial testing, ideally you should use Option 1 or 3 to create a Field Extraction Knowledge Object.
rex field=_raw "host\=\"(?P<Host>[^,]+)\"\,"
Option 3) Modify props.conf to create your own extraction for sourcetype alerts
EXTRACT-Host = host\=\"(?P<Host>[^,]+)\"\,
PS: Other fields should be automatically extracted by Splunk. If not you can apply above options with respective regular expressions. In order to test your regular expressions you can try regex101 website.
if these are events that are being generated, can you just create a search like this:
sourcetype=alerts|table host _time alert_time
and then save it as a report and schedule it if needed?
if you don't have the fields extracted yet, some regex commands that might work:
sourcetype=alerts |rex field=_raw host="(?<host>.*)", |rex field=_raw \[(?<time>.*)\]|rex field=_raw alert_time="(?<alertTime>.*)", __sev|table host time alertTime