DateTime format search in the splunk search query
I have "YYYY-MM-DD HH:MM:SS.QQ ERROR" in my splunk logs. Now I want to search for similar date pattern along with Status like "2021-Apr-08 23:08:23.498 ERROR" in my splunk logs and create alert if the ERROR tag comes next to the date. These date are changeable and are generated at run time.
Can any one suggest me how to check for Date time format along with Status in splunk query.
In the title you mentioned Amazon Web Services. If your events are actual AWS log data, you could install the Splunk Add-on for Amazon Web Services: https://splunkbase.splunk.com/app/1876/
The add-on comes with a lot of field extractions. After installing the add-on, all you need to do is have a look at your events to find out the correct field name for the status text and then search for status=ERROR.
Alternatively, you can create the field extraction yourself. This regular expression should do:
(?<date>\d\d\d\d-\w+-\d\d\s+\d\d:\d\d:\d\d\.\d\d\d)\s+(?<status>\w+)
You can test it here: https://regex101.com/r/pVg1Pm/1
Now use Splunk's rex command to do the field extraction at search time:
To have the field extraction done automatically, you can add new field extractions via Settings / Fields / Field extractions.
- How to use MFA with AWS CLI?
- How do I get the URL for the item using the Amazon API
- How to make links work with exported sites when hosted on AWS Cloudfront?
- Error launching CloudFormation Template for CloudHSM
- Glacier as Resource in CloudFormation template?
- how to secure keys for API calls from android device to amazon services
- Why is this IAM policy denying access with an MFA session?
- AWS Lambda Function Trigger API Gateway Issue
- GetMyFeesEstimate API Amazon vba
- AWS Cloudformation !Ref SecurityGroup returns an invalid ID
- How to set up AWS Client VPN with Keycloak as IdP
- How to view/identify which process taking how much memory?
- using bottlenose in python to extract product price from Amazon in different locale
- Unable to delete cfn stack, role is invalid or cannot be assumed
- How to Set Up Account Linking for a Skill using Alexa API from Amazon?
- GitHub actions "aws: not found" error on ubuntu-latest with Godot CI
- Download file from S3 to Rails 4 app
- Cloudfront (CDN) with Internal Application Load Balancer
- Connecting private load balancer to cloud front distribution?
- Request to Amazon API with delphi : Got HTTP/1.1 403 Forbidden
- Amazon QuickSight Connects Over Internet Instead of VPC to Public Redshift Cluster
- Shift Lambda infrastructure to ECS
- IAM policy to allow EC2 instance API access only to modify itself
- How to match these 2 tables?
- What is the best way of getting files from AWS S3, inserting them into zip and uploading that zip to the bucket?
- What does this mean? An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: Signature expired
- AWS ElastiCache in cluster mode has no Primary / Reader endpoints
- How to query: filtering on multiple primary partition keys and range on primary sort key
- How can I get boto3 script to run as a Lambda function?
- Testing AWS CDK Applications Locally