Splunk Search

Can I create a substring from this string with two timestamps?

kdimaria
Communicator

I was just looking up the eval substr function in splunk and was wondering if it is possible to get a substring from 0 to a character. basically I have a field that contains two times with a message:

Message= hello 8/30/2017 01:32:00 GMT goodbye 8/30/2017 01:33:00 GMT

I basically want to get a substring and grab from the beginning to GMT and set it into a new field Message1 then grab the rest in another substring and put that into message two.
Message1= hello 8/30/2017 01:32:00 GMT
Message2= goodbye 8/30/2017 01:33:00 GMT

0 Karma
1 Solution

cpetterborg
SplunkTrust
SplunkTrust

Try something like:

|  makeresults 
|  eval _raw="Message= hello 8/30/2017 01:32:00 GMT goodbye 8/30/2017 01:33:00 GMT"
|  rex "Message= (?P<Message1>.*?GMT)\s(?P<Message2>.*)"

View solution in original post

cpetterborg
SplunkTrust
SplunkTrust

If you don't mind a multivalve field:

| makeresults 
|  eval _raw="Message= hello 8/30/2017 01:32:00 GMT goodbye 8/30/2017 01:33:00 GMT foo 8/30/2017 01:32:00 GMT bar 8/30/2017 01:33:00 GMT"
|  rex "Message= (?P<message>.*)" | rex field=message max_match=0 "(?P<Messages>.*?GMT)"

woodcock
Esteemed Legend

Then you can add this:

| eval Message1=mvindex(message, 0)
| eval Message2=mvindex(message, 1)
| eval Message3=mvindex(message, 2)
| eval Message4=mvindex(message, 3)
| eval Message5=mvindex(message, 4)

cpetterborg
SplunkTrust
SplunkTrust

Try something like:

|  makeresults 
|  eval _raw="Message= hello 8/30/2017 01:32:00 GMT goodbye 8/30/2017 01:33:00 GMT"
|  rex "Message= (?P<Message1>.*?GMT)\s(?P<Message2>.*)"

kdimaria
Communicator

@cpetterborg I basically just want to split whenever I see "GMT" and put it into a new field

0 Karma

kdimaria
Communicator

@cpetterborg Also there is the possibility of there being more than 2 messages with time stamps.

0 Karma

kdimaria
Communicator

@cpetterborg There are multiple different events though that have different messages like this in a "Notes" field. will the rex command still work if I just did:

| makeresults | then the rex command you have?

0 Karma

niketnilay
Legend

@kdimaria, if your current field is Notes, you can use just the rex command on that field

 <YourBaseSearch>
| rex field=Notes "Message= (?P<Message1>.*?GMT)\s(?P<Message2>.*)"

In case you dont know the field name you can directly apply on _raw data

 <YourBaseSearch>
|  rex field=_raw "Message= (?P<Message1>.*?GMT)\s(?P<Message2>.*)"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kdimaria
Communicator

@niketnilay Thank you, I think this will work but now I just remembered that theres a possibility of there being more than two messages so I don't know how I would account for that and might have to approach this problem differently.

0 Karma

niketnilay
Legend

@kdimaria, if possible please add some samples.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kdimaria
Communicator

actually I don't think that'd work

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...