topic Re: Extract time from log in Splunk Search

Extract time from log

shwetamis — Tue, 03 Dec 2019 19:44:06 GMT

Below is my data
2019-12-03 14:20:55,679 ------------------ Begin Request -----------------

How do I extract begin time 14:20:55 from the above log data?

Re: Extract time from log

aberkow — Wed, 30 Sep 2020 03:14:52 GMT

If you're sure that is the raw format for all of your logs, you can write a simple regex leveraging the rex command https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Rex#Syntax. Rough example syntax below:

{code}
| makeresults count=1
| eval _raw="2019-12-03 14:20:55,679 ------------------ Begin Request -----------------"
| rex field=_raw ".\s(?.),.*"

{code}

If you run this code, you can see that I generate a similar event to the line you posted above, and then run the rex command with a capturing group around "timeStamp", which is anything after the first whitespace up until the first comma. For your case you don't need to generate the _raw field as that is just a representation of the log you already have on your machine.

Why I call this "rough" syntax is you want to make sure the regex works for all of your log formats, so this means either running it against multiple logs and making sure that the timeStamp field is always populated or iterating on the regex (I like regex101.com for that, it has a workspace and good tips on the side) since you will have access to more log information than me. In general, using the rex command is a great way to extract information from a string in Splunk though!

Hope this helps!

Re: Extract time from log

woodcock — Tue, 03 Dec 2019 22:25:58 GMT

Like this:

... | eval begin=strptime(_raw, "%Y-%m-%d %H:%M:%S,%3N")

Re: Extract time from log

vnravikumar — Wed, 04 Dec 2019 02:47:25 GMT

Try this

| makeresults 
| eval temp="2019-12-03 14:20:55,679 ------------------ Begin Request -----------------" 
| rex field=temp "\d{4}-\d{2}-\d{2}\s(?P<beginTime>\d{2}:\d{2}:\d{2})"

Re: Extract time from log

shwetamis — Wed, 04 Dec 2019 14:14:56 GMT

Thank you this one worked.

Re: Extract time from log

shwetamis — Wed, 04 Dec 2019 14:16:09 GMT

Also I don't want to hardcode the time in the search, as it is not for one transaction, how to I do that ?

Re: Extract time from log

shwetamis — Wed, 04 Dec 2019 14:16:44 GMT

I don't want to hardcode the time, as I am searching for multiple transactions

Re: Extract time from log

shwetamis — Wed, 04 Dec 2019 14:18:07 GMT

is _raw field that hold values of time ? if so then it returns raw data it doesn't return the time