Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to capture value between two dates and a time string?

Splunkuser542
Explorer
‎08-19-2018 03:15 PM

Hi,

How can I capture the the text between the first and second date and time strings.

Using the example event below, I'd like to capture only "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. Maecenas aliquet massa a arcu condimentum, sit amet hendrerit tellus porttitor. Ut ultricies id odio at semper. help@lipsum.com".

Sometimes there will be no ending date and time as shown in Example 2 below.

Example 1:

16/08/2018 03:04:11 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. Maecenas aliquet massa a arcu condimentum, sit amet hendrerit tellus porttitor. Ut ultricies id odio at semper. help@lipsum.com 10/08/2018 07:11:53

Example 2 (no date and time at the end):

16/08/2018 03:04:11 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. Maecenas aliquet massa a arcu condimentum, sit amet hendrerit tellus porttitor. Ut ultricies id odio at semper. help@lipsum.com

I've created the following regex, but when I table the 'test' field, I don't have any resuts.

([0-9]{2}\/[0-9]{2}\/[0-9]{4}\s[0-9]{2}\:[0-9]{2}\:[0-9]{2}\s\-)(?P<test>.*)([0-9]{2}\/[0-9]{2}\/[0-9]{4}\s[0-9]{2}\:[0-9]{2}\:[0-9]{2})

Thanks!

0 Karma
Reply

adonio
Ultra Champion
‎08-19-2018 04:18 PM

hope i understood your requirement<

try this search anywhere:

| makeresults count=1
| eval data = "16/08/2018 03:04:11 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. Maecenas aliquet massa a arcu condimentum, sit amet hendrerit tellus porttitor. Ut ultricies id odio at semper. help@lipsum.com 10/08/2018 07:11:53; 16/08/2018 03:04:11 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. Maecenas aliquet massa a arcu condimentum, sit amet hendrerit tellus porttitor. Ut ultricies id odio at semper. help@lipsum.com"
| makemv delim=";" data 
| mvexpand data
| rename COMMENT as "the above generates data below is the solution" 
| rex field=data "\d{2}\/\d{2}\/\d{4}\s+\d{2}\:\d{2}\:\d{2}\s+\-\s+(?<message_test>[^|]+\w+\@\w+\.com)"
| table message_test

hope it helps

0 Karma
Reply

Splunkuser542
Explorer
‎08-21-2018 04:03 PM

Hi adonio, sorry, I hope the below examples are more clear.

Example 1.

16/08/2018 03:04:11 - Some paragraph. 10/08/2018 07:11:53

Example 2.

18/08/2018 07:06:11 - Some sort of comment here. Email: test@email.com 04/08/2018 02:51:53

Example 3.

21/08/2018 09:15:11 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. 01/08/2018 07:47:53

I'd like to capture all the text in between the date and time string, which are (in order):

  1. Some paragraph.
  2. Some sort of comment here. Email: test@email.com
  3. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan.

Thanks in advance.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...