I have below entries from my logs and I want to remove ' from the beginning and end of the field value.
valid_from='May 25 13:46:01 2017 GMT ',valid_to='May 25 13:46:01 2019 GMT'
Also how to get the difference in days for the valid_to-valid_from?.
Howdy pbsuju!
strptime to transfrom to epoch and using an eval to pick the diff may be what you want. This is the paste of my test:
| makeresults
| eval test="valid_from='May 25 13:46:01 2017 GMT ',valid_to='May 25 13:46:01 2019 GMT'"
| rex field=test "valid_from=\'(?<from>[^\']+)\',valid_to=\'(?<to>[^\']+)"
| eval to2=strptime(to,"%b %d %H:%M:%S %Y %Z")
| eval from2=strptime(from,"%b %d %H:%M:%S %Y %Z")
| eval diff=(from2-to2)
| table test,from,from2,to,to2,diff
Howdy pbsuju!
strptime to transfrom to epoch and using an eval to pick the diff may be what you want. This is the paste of my test:
| makeresults
| eval test="valid_from='May 25 13:46:01 2017 GMT ',valid_to='May 25 13:46:01 2019 GMT'"
| rex field=test "valid_from=\'(?<from>[^\']+)\',valid_to=\'(?<to>[^\']+)"
| eval to2=strptime(to,"%b %d %H:%M:%S %Y %Z")
| eval from2=strptime(from,"%b %d %H:%M:%S %Y %Z")
| eval diff=(from2-to2)
| table test,from,from2,to,to2,diff