cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
aotuga001
Explorer
Member since: 2 weeks ago
2 weeks ago
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎04-15-2024
View All

Re: Matching a field in a string using if/eval com...

by in Splunk Search
2 weeks ago
1 Karma
2 weeks ago
1 Karma
It was perfect 😁.  I ended up doing it like this because of how the logs are stored in our environment. index=c account=1 env=lower source="logfiles" ("destination" OR "received") | eval logtype = if(like(_raw, "destination%"),"logb","loga") | rex field=_raw filename in loga| rex field=_raw filename in logb| stats count min(_time) as Starttime max(_time) as Endtime values(logtype) as logtype by filename | where count=2 AND logtype="loga" AND logtype="logb" | eval diff = Endtime - Starttime | stats avg(diff) ... View more

Re: Matching a field in a string using if/eval com...

by in Splunk Search
2 weeks ago
2 weeks ago
This is exactly what I am doing, nothing more.  Let me try your logic.   index= cloudaccount= cloudenv=impl source= (string in log a OR string in log b) | rex field=_raw "/[a-zA-Z0-9]+\/(?<filename>[^\"]*)"| rex field=_raw "[a-zA-Z0-9]+\/(?<filename2>[^\"]*)" | eval Endtime = strftime(_time, "%H:%M:%S:%Q") | eval Starttime = if(match(filename,"found %".filename2."%"),1,0) | stats values(Starttime) by filename     ... View more

Re: Matching a field in a string using if/eval com...

by in Splunk Search
2 weeks ago
2 weeks ago
Yes log b and log a have the same index=a env=a account=. SPL -----> rex field=_raw "The file has been found at the second destination[a-zA-Z0-9]+\/(?<filename2>[^\"]*)" This works I get the file names. This is exactly the logs that I am trying to match, I was using if(like....) at first.               log a:  There is a file has been received with the name test2.txt lob b:  The file has been found at the second destination C://user/test2.txt ... View more

Matching a field in a string using if/eval command...

by in Splunk Search
2 weeks ago
2 weeks ago
I have two logs below, log a is throughout the environment and would be shown for all users.  log b is limited to specific users.  I only need times for users in log b. log a:  There is a file has been received with the name test2.txt lob b:  The file has been found at the second destination C://user/test2.txt I am trying to write a query that captures the time between log a and log b without doing a subsearch, so far I have  index=a, env=a, account=a ("There is a file" OR "The file has been found")|field filename from log b | field filename2| eval Endtime = _time | ****Here is where I am lost, I was hoping to use if/match/like/eval to see to capture the start time where log b filename can be found in log a.  I have this so far******   | eval Starttime = if(match(filename,"There is%".filename2."%"),_time,0) I am not getting any 1s, just 0s.  I am pretty sure this is the problem "There is%".filename2."%", how do I correct it. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
2 weeks ago
Karma from
View All
Karma given to
View All