topic Re: Using Rex command to extract time duration in hh:mm:ss in Splunk Search

Using Rex command to extract time duration in hh:mm:ss

harshparikhxlrd — Tue, 05 Nov 2019 18:53:23 GMT

Hello, I am trying to extract data, specifically time data in hh:mm:ss:nn format and put it on a table. When I do, I get no results to show up on my code.

Re: Using Rex command to extract time duration in hh:mm:ss

marycordova — Tue, 05 Nov 2019 19:01:56 GMT

post a sample of your data please

Re: Using Rex command to extract time duration in hh:mm:ss

marycordova — Tue, 05 Nov 2019 19:02:16 GMT

Try this for help: https://regex101.com/

Re: Using Rex command to extract time duration in hh:mm:ss

harshparikhxlrd — Tue, 05 Nov 2019 19:09:52 GMT

https://textuploader.com/1kbvy

Re: Using Rex command to extract time duration in hh:mm:ss

harshparikhxlrd — Tue, 05 Nov 2019 19:10:41 GMT

Added my data sample to post.

Re: Using Rex command to extract time duration in hh:mm:ss

marycordova — Tue, 05 Nov 2019 20:07:53 GMT

can you just post it to your question?

Re: Using Rex command to extract time duration in hh:mm:ss

harshparikhxlrd — Tue, 05 Nov 2019 20:10:37 GMT

I can't. It won't let me post the whole data.

Re: Using Rex command to extract time duration in hh:mm:ss

to4kawa — Sun, 19 Jan 2020 10:43:05 GMT

| makeresults
| eval _raw="11/05/2019 10:21:04 AM
LogName=Application
SourceName=RoboticLogging
EventCode=0
EventType=4
Type=Information
ComputerName=WTWFBVZP.UNITOPR.UNITINT.TEST.STATEFARM.ORG
TaskCategory=%1
OpCode=Info
RecordNumber=51614
Keywords=Classic
Message=<Robotics Workstation=\"WTWFBVZP\" UserID=\"UNTOPR\OE1OTD\" Department=\"HRSS_NEO\" TaskID=\"Daily NEO Report\" Automation=\"NEO_P_SplunkMetrics\" Message=\"Number of supervisor reminder memos sent: 6,Number of New Employees in NEO Report without job title Temporary Agy Svc Asst: 988,Number of New Employees in NEO Report with job title Temporary Agy Svc Asst: 23,Duration: 00:01:50.5270509\" AdditionalInfo1=\"NA\" AdditionalInfo2=\"NA\""
| kv
| eval _time=mvindex(split(_raw,"
"),0)
| eval _time=strptime(_time,"%m/%d/%Y %T %p")
| fieldformat _time=strftime(_time,"%m/%d/%Y %T %p")
| rex "Message=\"(?<Message>[^\"]+)\""
| table _time LogName SourceName EventCode EventType Type ComputerName TaskCategory OpCode RecordNumber Keywords
,Workstation UserID Department TaskID Automation Message AdditionalInfo1 AdditionalInfo2
| appendpipe 
    [eval _raw = Message
    | eval _raw = replace(_raw,"(\d+:\d+:\d+\.\d+)","\"\1\"")
    | extract pairdelim="," kvdelim=":"
    | fields - _raw]
    | selfjoin Message

Hi, folks.
That's all?