topic Re: Splunk Regex Help in Splunk Search

Help with Splunk Regex

kc_prane — Tue, 21 Jun 2022 23:30:16 GMT

Hi Team - Need your expertise in Regex.

The below is the rawlog i need to extract the Date and time the only unique is the WORD "START" & "END" goal is to find the response time between START and END in a Table format.

Note: there are no space in the log

START</enteringExiting><logLevel>INFO</logLevel><messageType>LOG</messageType><applicationName>GstarSOA</applicationName<programName>GstarRecipientService_MF</programName><functionName>GetRecipient</functionName><host>PerfNode0</host><messageDetails>2022-06-17 04:10:53/utility/logging"><enteringExiting>END</enteringExiting><logLevel>INFO</logLevel><messageType>LOG</messageType><applicationName>GstarSOA</applicationName><programName>GstarRecipientService_MF</programName<functionName>GetRecipient</functionName><host>PerfNode0</host><messageDetails>2022-06-17 04:10:53

Re: Splunk Regex Help

marysan — Tue, 21 Jun 2022 05:02:04 GMT

@kc_prane
Hi

Would you give me an example of your expected result ?
how do you calculate response time between start and end ? with messageDetails?

Re: Splunk Regex Help

gcusello — Tue, 21 Jun 2022 06:31:22 GMT

HI @kc_prane,

if the shared sample is in one event, you could use the following regex:

| rex "START.*messageDetails\>(?<Start_Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\/.*END.*messageDetails\>(?<End_ate>\d+-\d+-\d+\s+\d+:\d+:\d+)"

that you can test at https://regex101.com/r/moeIVB/1

If instead you have two events, you can separate the above regex in two regexes.

Ciao.

Giuseppe

Re: Splunk Regex Help

kc_prane — Tue, 21 Jun 2022 14:51:16 GMT

Thanks Gcusello !

i modifed your solutiion it worked.

| rex "START.*messageDetails\>(?<Start_Date>\d+\-\d+\-\d+\s+\d+\:\d+\:\d+)" | rex "END.*messageDetails\>(?<End_Date>\d+\-\d+\-\d+\s+\d+\:\d+\:\d+)"

Re: Splunk Regex Help

gcusello — Tue, 21 Jun 2022 15:00:27 GMT

Hi @kc_prane,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: Splunk Regex Help

kc_prane — Tue, 21 Jun 2022 15:36:37 GMT

Hi @gcucello

Can you also help me how to seperate the date and time in the regex. Cause i wanted to find the difference between Start_time and End_time

| rex "START.*messageDetails\>(?<Start_Date>\d+\-\d+\-\d+\s+\d+\:\d+\:\d+)"

My results : 2022-06-17 03:49:46

Re: Splunk Regex Help

kc_prane — Tue, 21 Jun 2022 21:32:26 GMT

Hi Marysan - Thanks for the reply, i got the solution

| rex "START.*messageDetails\>\d+\-\d+\-\d+\s+(?<Start_Time>\d+\:\d+\:\d+)" | rex "END.*messageDetails\>\d+\-\d+\-\d+\s+(?<End_Time>\d+\:\d+\:\d+)"
| eval ST = Strptime(Start_Time, "%H:%M:%S.%3N")
| eval ET = Strptime(End_Time, "%H:%M:%S.%3N")
| eval ResponseTime = tostring((ET -ST), "duration")
| table _time host tag::host Start_Time End_Time ResponseTime

Re: Splunk Regex Help

kc_prane — Tue, 21 Jun 2022 21:33:41 GMT

Hi @gcucello - No worries I got the solution, thanks a lot