Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

every event has a hostname and respective time stamp. I want that hostname its time to be displayed and download that as a csv

rkdasari
New Member
‎12-06-2016 02:06 AM

Like this many events are there. I just need host and TIme to be dowloaded as a report . please help me

TIme
12/6/16
9:42:40.513 AM

Event
[2016-12-06 09:42:40,513yyyy/MM/dd HH:mm:ss,UTC] _alert_time="2016/12/06 08:30:00 UTC", __sev="LOW", __ns="Storage", __app="ONTAP.HEALTH.Multipath", __uniqID=9bdeaf064afffbc8b17016cf1c09af9c, _@="storage-alerts@yahoo-inc.com", _threshold_name="ONTAP.HEALTH.Multipath", host="nfsarchive16801.mail.gq1.yahoo.com", __description="Storage configuration is Mixed-Path.Loop Details::missing loop:3b:shelf:2
missing loop:1d:shelf:5
missing loop:3d:shelf:4", __status="1", __url="http://yamas.ops.yahoo.com:9999/#/ws/y63tw8/oxc", __url="http://yamas.ops.yahoo.com:9999/v1/graph/new?start=1481005800&end=1481013000&_t.host=nfsarchive16801...", __custom_text="please check and fix"

host = alrcons-1.yms.gq1.yahoo.com
source = /home/y/logs/alerts_splunk/alerts-email.log
sourcetype = alerts
Tags (1)
0 Karma
Reply

niketn
Legend
‎12-06-2016 11:19 AM

Since host is a metadata index-time extracted field for any sourcetype, you will need to provide a separate field extraction name. Since Splunk is case sensitive for Field names, I am using Host as the extracted field name in following options:

Option 1) Use Extract New Fields option from your Search results. Interactive Field Extractor will give you options to use Splunks regular expression or define your own. You can define your own extraction as 

host\=\"(?P<Host>[^,]+)\"\,

Option 2) Use inline rex command to extract host. (PS: rex command should only be used for initial testing, ideally you should use Option 1 or 3 to create a Field Extraction Knowledge Object.

rex field=_raw "host\=\"(?P<Host>[^,]+)\"\,"

Option 3) Modify props.conf to create your own extraction for sourcetype alerts

EXTRACT-Host = host\=\"(?P<Host>[^,]+)\"\,

PS: Other fields should be automatically extracted by Splunk. If not you can apply above options with respective regular expressions. In order to test your regular expressions you can try regex101 website.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

cmerriman
Super Champion
‎12-06-2016 10:40 AM

if these are events that are being generated, can you just create a search like this:

sourcetype=alerts|table host _time alert_time

and then save it as a report and schedule it if needed?
if you don't have the fields extracted yet, some regex commands that might work:

sourcetype=alerts |rex field=_raw host="(?<host>.*)", |rex field=_raw \[(?<time>.*)\]|rex field=_raw alert_time="(?<alertTime>.*)", __sev|table host time alertTime
0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...