Re: Unable to extract fieds

sumanth_isac · ‎04-08-2013

Hi ,
I have data files which is generated by script(eg. xyz12.ksh)
When each time a script runs a file is generated with different type.
For eg.1. xyz.log.20000109.1221
2. *****************.3545
Each file generated by script is an event.
First i could not add the directory which contained these files, so i created a new index and added each file into that index.
Now i have data in that file like starttime, endtime and error code etc.
I was able extract starttime field using regex. But i could not get endtime field values as i go to extract filed, some lines in the data of the file is removed as i select extract fields and go to Interactive field extractor.
Pls help.
I want both start time and endtime fields.

kml_uvce · ‎04-08-2013

You can do this extraction in props.conf/transforms.conf , send me your log data I can make extraction for you.
-Kamal Bisht

sumanth_isac · ‎04-08-2013

Script Name : xyz0101.ksh
Start Time : 2012-12-09 16:40:27
Arguments :
Env Variables :
Some lines here
PL/SQL procedure successfully completed.
error code is 0

End Time : 2012-12-09 18:47:15

Return Code = 0 (Normal Termination, Continue Processing)

I want to extract start time and end time and error code in single table. I was able to extract StartTime but not Endtime in regex window

Unable to extract fieds

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability