How to capture value between two dates and a time ...

Splunkuser542 · ‎08-19-2018

Hi,

How can I capture the the text between the first and second date and time strings.

Using the example event below, I'd like to capture only "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. Maecenas aliquet massa a arcu condimentum, sit amet hendrerit tellus porttitor. Ut ultricies id odio at semper. help@lipsum.com".

Sometimes there will be no ending date and time as shown in Example 2 below.

Example 1:

16/08/2018 03:04:11 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. Maecenas aliquet massa a arcu condimentum, sit amet hendrerit tellus porttitor. Ut ultricies id odio at semper. help@lipsum.com 10/08/2018 07:11:53

Example 2 (no date and time at the end):

16/08/2018 03:04:11 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. Maecenas aliquet massa a arcu condimentum, sit amet hendrerit tellus porttitor. Ut ultricies id odio at semper. help@lipsum.com

I've created the following regex, but when I table the 'test' field, I don't have any resuts.

([0-9]{2}\/[0-9]{2}\/[0-9]{4}\s[0-9]{2}\:[0-9]{2}\:[0-9]{2}\s\-)(?P<test>.*)([0-9]{2}\/[0-9]{2}\/[0-9]{4}\s[0-9]{2}\:[0-9]{2}\:[0-9]{2})

Thanks!

adonio · ‎08-19-2018

hope i understood your requirement<

try this search anywhere:

| makeresults count=1
| eval data = "16/08/2018 03:04:11 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. Maecenas aliquet massa a arcu condimentum, sit amet hendrerit tellus porttitor. Ut ultricies id odio at semper. help@lipsum.com 10/08/2018 07:11:53; 16/08/2018 03:04:11 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. Maecenas aliquet massa a arcu condimentum, sit amet hendrerit tellus porttitor. Ut ultricies id odio at semper. help@lipsum.com"
| makemv delim=";" data 
| mvexpand data
| rename COMMENT as "the above generates data below is the solution" 
| rex field=data "\d{2}\/\d{2}\/\d{4}\s+\d{2}\:\d{2}\:\d{2}\s+\-\s+(?<message_test>[^|]+\w+\@\w+\.com)"
| table message_test

hope it helps

Splunkuser542 · ‎08-21-2018

Hi adonio, sorry, I hope the below examples are more clear.

Example 1.

16/08/2018 03:04:11 - Some paragraph. 10/08/2018 07:11:53

Example 2.

18/08/2018 07:06:11 - Some sort of comment here. Email: test@email.com 04/08/2018 02:51:53

Example 3.

21/08/2018 09:15:11 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. 01/08/2018 07:47:53

I'd like to capture all the text in between the date and time string, which are (in order):

Some paragraph.
Some sort of comment here. Email: test@email.com
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan.

Thanks in advance.

How to capture value between two dates and a time string?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...