Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Enterprise Security
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- How to capture value between two dates and a time ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to capture value between two dates and a time string?
Splunkuser542
Explorer
08-19-2018
03:15 PM
Hi,
How can I capture the the text between the first and second date and time strings.
Using the example event below, I'd like to capture only "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. Maecenas aliquet massa a arcu condimentum, sit amet hendrerit tellus porttitor. Ut ultricies id odio at semper. help@lipsum.com".
Sometimes there will be no ending date and time as shown in Example 2 below.
Example 1:
16/08/2018 03:04:11 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. Maecenas aliquet massa a arcu condimentum, sit amet hendrerit tellus porttitor. Ut ultricies id odio at semper. help@lipsum.com 10/08/2018 07:11:53
Example 2 (no date and time at the end):
16/08/2018 03:04:11 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. Maecenas aliquet massa a arcu condimentum, sit amet hendrerit tellus porttitor. Ut ultricies id odio at semper. help@lipsum.com
I've created the following regex, but when I table the 'test' field, I don't have any resuts.
([0-9]{2}\/[0-9]{2}\/[0-9]{4}\s[0-9]{2}\:[0-9]{2}\:[0-9]{2}\s\-)(?P<test>.*)([0-9]{2}\/[0-9]{2}\/[0-9]{4}\s[0-9]{2}\:[0-9]{2}\:[0-9]{2})
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
08-19-2018
04:18 PM
hope i understood your requirement<
try this search anywhere:
| makeresults count=1
| eval data = "16/08/2018 03:04:11 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. Maecenas aliquet massa a arcu condimentum, sit amet hendrerit tellus porttitor. Ut ultricies id odio at semper. help@lipsum.com 10/08/2018 07:11:53; 16/08/2018 03:04:11 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. Maecenas aliquet massa a arcu condimentum, sit amet hendrerit tellus porttitor. Ut ultricies id odio at semper. help@lipsum.com"
| makemv delim=";" data
| mvexpand data
| rename COMMENT as "the above generates data below is the solution"
| rex field=data "\d{2}\/\d{2}\/\d{4}\s+\d{2}\:\d{2}\:\d{2}\s+\-\s+(?<message_test>[^|]+\w+\@\w+\.com)"
| table message_test
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunkuser542
Explorer
08-21-2018
04:03 PM
Hi adonio, sorry, I hope the below examples are more clear.
Example 1.
16/08/2018 03:04:11 - Some paragraph. 10/08/2018 07:11:53
Example 2.
18/08/2018 07:06:11 - Some sort of comment here. Email: test@email.com 04/08/2018 02:51:53
Example 3.
21/08/2018 09:15:11 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan. 01/08/2018 07:47:53
I'd like to capture all the text in between the date and time string, which are (in order):
- Some paragraph.
- Some sort of comment here. Email: test@email.com
- Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam sodales nunc sit amet justo tristique, non consectetur quam accumsan.
Thanks in advance.
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
Splunk Decoded: Business Transactions vs Business IQ
It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...
Fastest way to demo Observability
I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...
