topic regex help, extract time and convert to epoch and show only if epoch time is within 24 hours ago in Splunk Search

regex help, extract time and convert to epoch and show only if epoch time is within 24 hours ago

thaghost99 — Wed, 19 Jun 2024 14:18:56 GMT

hi, i currently have this data and i would like to see if i can extract the date and time and see if it can display the LINE if its within the last 24 hours.

example: current time June 19

result should be:

drwxrwxrwx 2 root root 4.0K Jun 19 06:05 crashinfo

---------------------- DATA START below -----------------------

/opt/var.dp2/cores/:
total 4.0K
drwxrwxrwx 2 root root 4.0K Jun 19 06:05 crashinfo

/opt/var.dp2/cores/crashinfo:
total 0

/var/cores/:
total 8.0K
drwxrwxrwx 2 root root 4.0K May 28 06:05 crashinfo
drwxr-xr-x 2 root root 4.0K May 28 06:05 crashjobs

/var/cores/crashinfo:
total 0

/var/cores/crashjobs:
total 0

/opt/panlogs/cores/:
total 0

/opt/var.cp/cores/:
total 4.0K
drwxr-xr-x 2 root root 4.0K May 28 06:06 crashjobs

/opt/var.cp/cores/crashjobs:
total 0

/opt/var.dp1/cores/:
total 8.0K
drwxrwxrwx 2 root root 4.0K May 28 06:05 crashinfo
drwxr-xr-x 2 root root 4.0K May 28 06:07 crashjobs

/opt/var.dp1/cores/crashinfo:
total 0

/opt/var.dp1/cores/crashjobs:
total 0

/opt/var.dp0/cores/:
total 8.0K
drwxrwxrwx 2 root root 4.0K May 28 06:05 crashinfo
drwxr-xr-x 2 root root 4.0K May 28 06:07 crashjobs

/opt/var.dp0/cores/crashinfo:
total 0

/opt/var.dp0/cores/crashjobs:
total 0

---------------------- DATA END above -----------------------

Re: regex help, extract time and convert to epoch and show only if epoch time is within 24 hours ago

ITWhisperer — Wed, 19 Jun 2024 14:46:03 GMT

Try something like this

| rex max_match=0 "(?m)^(\S+ ){5}(?<datetimefile>\w+ +\d+\s+\d+:\d+\s+\S+)$" | mvexpand datetimefile | eval timestamp=strptime(datetimefile,"%b %d %H:%M") | where now()-timestamp < 24*60*60

Re: regex help, extract time and convert to epoch and show only if epoch time is within 24 hours ago

richgalloway — Wed, 19 Jun 2024 15:01:11 GMT

Try this

``` Parse the date ``` | rex "\s(?<date>\w{3}\s\d{1,2})\s" ``` Convert the date into epoch form ``` | eval epoch=strptime(date, "%b %d") ``` See if the date falls in the last 24 hours ``` | where epoch > relative_time(now(), "-24h")

Re: regex help, extract time and convert to epoch and show only if epoch time is within 24 hours ago

thaghost99 — Wed, 19 Jun 2024 15:38:43 GMT

thank you very much. it works.

Re: regex help, extract time and convert to epoch and show only if epoch time is within 24 hours ago

thaghost99 — Mon, 24 Jun 2024 14:40:08 GMT

if it shows no results, how can i make it so that the value of that 'epoch' value = OK versus 'Not Ok'