How can I use Regrex Command to split string?

ichesla1111 · ‎02-01-2023

Hello!

I am caluclating utilization (already done), but I want to fix my event start times.

The start time for a run on a machine is located in the filename, but I am having difficulty doing the regrex command and understanding how it works.

ex. Filename String:

013023-123141-46.xml

Step1: Extract middle string (highlighted in red):

013023-123141-46.xml -->WANT: "123141"

Step2: Add ":" between every other number (highlighted in red):
"123141" --> Final string: "12:31:41"

Step3: Convert time string "12:31:41" into a time stamp:
Field: Starttime = strftime(Start_Time,"%h:%m:%s")

gcusello · ‎02-01-2023

Hi @ichesla1111,

please try something like this:

<your_search>
| rex field=filename "^\d+-(?<hh>\d\d)(?<mm>\d\d)(?<ss>\d\d)"
| eval Starttime = hh.":".mm.":".ss
| table Starttime

you can test the regex at https://regex101.com/r/8mQ7WB/1

Ciao.

Giuseppe

How can I use Regrex Command to split string?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Announcing Modern Navigation: A New Era of Splunk User Experience

Casting Call: Compete in Cyber Games

Join the Conversation

How can I use Regrex Command to split string?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Announcing Modern Navigation: A New Era of Splunk User Experience

Casting Call: Compete in Cyber Games