Splunk Search
Highlighted

Can I create a substring from this string with two timestamps?

Communicator

I was just looking up the eval substr function in splunk and was wondering if it is possible to get a substring from 0 to a character. basically I have a field that contains two times with a message:

Message= hello 8/30/2017 01:32:00 GMT goodbye 8/30/2017 01:33:00 GMT

I basically want to get a substring and grab from the beginning to GMT and set it into a new field Message1 then grab the rest in another substring and put that into message two.
Message1= hello 8/30/2017 01:32:00 GMT
Message2= goodbye 8/30/2017 01:33:00 GMT

0 Karma
Highlighted

Re: Can I create a substring from this string with two timestamps?

SplunkTrust
SplunkTrust

Try something like:

|  makeresults 
|  eval _raw="Message= hello 8/30/2017 01:32:00 GMT goodbye 8/30/2017 01:33:00 GMT"
|  rex "Message= (?P<Message1>.*?GMT)\s(?P<Message2>.*)"

View solution in original post

Highlighted

Re: Can I create a substring from this string with two timestamps?

Communicator

@cpetterborg There are multiple different events though that have different messages like this in a "Notes" field. will the rex command still work if I just did:

| makeresults | then the rex command you have?

0 Karma
Highlighted

Re: Can I create a substring from this string with two timestamps?

Communicator

actually I don't think that'd work

0 Karma
Highlighted

Re: Can I create a substring from this string with two timestamps?

Legend

@kdimaria, if your current field is Notes, you can use just the rex command on that field

 <YourBaseSearch>
| rex field=Notes "Message= (?P<Message1>.*?GMT)\s(?P<Message2>.*)"

In case you dont know the field name you can directly apply on _raw data

 <YourBaseSearch>
|  rex field=_raw "Message= (?P<Message1>.*?GMT)\s(?P<Message2>.*)"



| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Can I create a substring from this string with two timestamps?

Communicator

@niketnilay Thank you, I think this will work but now I just remembered that theres a possibility of there being more than two messages so I don't know how I would account for that and might have to approach this problem differently.

0 Karma
Highlighted

Re: Can I create a substring from this string with two timestamps?

Legend

@kdimaria, if possible please add some samples.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Can I create a substring from this string with two timestamps?

Communicator

@cpetterborg Also there is the possibility of there being more than 2 messages with time stamps.

0 Karma
Highlighted

Re: Can I create a substring from this string with two timestamps?

Communicator

@cpetterborg I basically just want to split whenever I see "GMT" and put it into a new field

0 Karma
Highlighted

Re: Can I create a substring from this string with two timestamps?

SplunkTrust
SplunkTrust

If you don't mind a multivalve field:

| makeresults 
|  eval _raw="Message= hello 8/30/2017 01:32:00 GMT goodbye 8/30/2017 01:33:00 GMT foo 8/30/2017 01:32:00 GMT bar 8/30/2017 01:33:00 GMT"
|  rex "Message= (?P<message>.*)" | rex field=message max_match=0 "(?P<Messages>.*?GMT)"