Re: Need help in handling unstructured data

gopee_splunk · ‎12-24-2014

I have an Log File as below

starting process 1 (each line is a sinle event in splunk))
processing steps
.
.
.
ending process 1

starting process2
processing steps
.
.
.
ending process 2

starting process3
processing steps
.
.
.
ending process 3

I would like to get data as below.Could you please help me?

Process1 start_time end_time
Process2 start_time end_time
Process3 start_time end_time

adityapavan18 · ‎12-25-2014

Try this way. create a field to extract processid.

Then try something like | stats latest(_time) as endtime earliest(_time) as starttime by processid.

esix_splunk · ‎12-24-2014

You should fix this as a data source, and parse this correctly as the data is indexed. That will save you time and headaches. You'll need to create a datasource for this via props..

... props.conf ..

      [mymultiline:sourcetype]
      SHOULD_LINEMERGE = True
      BREAK_ONLY_BEFORE = starting process \d+

Add that and restart splunk, add the data again.

BREAK_ONLY_BEFORE = is a regex that will match for the beginning of the event. Adjust this to what your the first line of your event really looks like.

You can find more details on the options for setting this at data ingestion time via the props.conf spec file at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf.

lguinn2 · ‎12-24-2014

Try this

"starting process" OR "ending process"
| eval starttime=if(match(_raw,"starting process"),_time,null())
| eval endtime = if(match(_raw,"ending process"),_time,null())
| stats max(starttime) as "Start Time" max(endtime) as "End Time" by process_id

Need help in handling unstructured data

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...