How to convert my time field for use in a timechart search?

subtrakt — Tue, 24 Feb 2015 00:10:25 GMT

Any suggestions on how to timechart an unusual timestamp that comes inside the log entry.

These logs come in every night at midnight.

I want to run a scheduled search at 6pm that same day every day which charts the 'EXPIRES' field below as Time by CONTRACT

Here's the functional stats query:

index=contracts | rex "(?i)Contract (?P<CONTRACT>.*on+)(?P<EXPIRES>.*)" | stats count by CONTRACT, EXPIRES

log example:

Contract Honda Civic 144433 expires on Sun Feb 23 21:16:55 2015 GMT

Here's the EXPIRES field value that i would like to timechart:

Sun Nov 2 21:16:55 2014 GMT

Dysfunctional timechart search:

index=contracts | rex "(?i)contract (?P<CONTRACT>.*on+)(?P<EXPIRES>.*)" | timechart EXPIRES AS _time by CONTRACT

Re: How to convert my time field for use in a timechart search?

cpetterborg — Tue, 24 Feb 2015 00:23:06 GMT

Just to make a tweak to your regex:

rex "Contract\s+(?P<CONTRACT>.+\s+expires on\s+)(?P<EXPIRES>.+)"

This cleanup will not put "expires" in the CONTRACT, prevent misparsing of the CONTRACT name (if there is "on" in the name), and eliminate the space at the front of EXPIRES.

Question: what result do you get from your dysfunctional query?

topic Re: How to convert my time field for use in a timechart search? in Splunk Search

How to convert my time field for use in a timechart search?

Re: How to convert my time field for use in a timechart search?