topic Re: How to grep or awk in splunk? in Splunk Search

How to grep or awk in splunk?

nilotpaldutta — Mon, 28 Sep 2020 20:26:58 GMT

Hi,

I am using this query in splunk search -
index="some_index" | dedup source | sort -source | dedup sourcetype | table sourcetype, source

My result shows like this -
sourcetype | source
--------------------- | ---------------------------------------------------------------
dev_architecture_dev1 | /u01/splunk/etc/apps/dev-data/data/dev1/dev1-20150629133045.log
dev_architecture_dev2 | /u01/splunk/etc/apps/dev-data/data/dev2/dev2-20150626124438.log

I want to grab only the year, month, day, hour, min and sec right before ".log". e.g. 20150629133045.
And then display it like 2015-06-29 13:30:45 in the 'source' column.

Is there a way to do it in Splunk6?

Thanks for looking at the question. Hoping to get some answers.

Re: How to grep or awk in splunk?

ektasiwani — Wed, 01 Jul 2015 07:30:15 GMT

Hi,

You can use this:
......|eval source1=substr(source,-18 ) | eval source=substr(source1,0,14 ) | ......

Re: How to grep or awk in splunk?

ektasiwani — Wed, 01 Jul 2015 07:34:30 GMT

With your query you can try:

Re: How to grep or awk in splunk?

nilotpaldutta — Wed, 01 Jul 2015 08:08:17 GMT

Thanks..!! this solution works.
However, is there any other way other than substring? Basically want to make the grab dynamic, so if the position changes in another environment, the query would still work.
I have done it in bash using both awk and sed. But seems like splunk syntax are very different.

Re: How to grep or awk in splunk?

ektasiwani — Wed, 01 Jul 2015 10:33:15 GMT

Yes you can do it using rex also.