topic Get the specific string from the line in Splunk Search

Get the specific string from the line

harshal_chakran — Tue, 08 Oct 2013 09:12:48 GMT

Hi,
I wanted to know is it possible to get a string at specific location from a line.

for e.g.
My line is:

STEP LOGVAL      error_Func_value/error function value      10:04:06.085         doorstep: get the directive

Now I want to show this string "10:04:06.085" as my result.

Please help.

Re: Get the specific string from the line

kristian_kolb — Tue, 08 Oct 2013 09:27:49 GMT

Is this what your actual log looks like? How are the pieces of information separated? Multiple spaces? tabs?

Assuming you have a separator of 6 spaces, like in your sample above, you can extract the the time information into a field called TimeStamp like this;

your base search | rex "\s{6}(?<TimeStamp>\d\d:\d\d:\d\d\.\d\d\d)\s{6}" | the rest of your search

Hope this helps,

Re: Get the specific string from the line

harshal_chakran — Tue, 08 Oct 2013 12:27:34 GMT

Hi,
Thanks for the help.
But when I run this query, it highlights only the sourcetype, and what I want is to get that timestamp at output. I have tried to tweak the query, but couldn't succeed.

And the pieces of information is separated by multiple spaces.

Re: Get the specific string from the line

kristian_kolb — Tue, 08 Oct 2013 13:24:58 GMT

"highlights the sourcetype"? I don't understand. Try this, somewhat shorter regex;

...| rex "\s{3,}(?<TimeStamp>[0-9.:]+)\s{3,}" | table TimeStamp

The last table command is just for verification purposes. Remove it if the extraction works.