Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract time from log

shwetamis
Explorer
‎12-03-2019 11:44 AM

Below is my data
2019-12-03 14:20:55,679 ------------------ Begin Request -----------------

How do I extract begin time 14:20:55 from the above log data?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vnravikumar
Champion
‎12-03-2019 06:47 PM

Hi

Try this

| makeresults 
| eval temp="2019-12-03 14:20:55,679 ------------------ Begin Request -----------------" 
| rex field=temp "\d{4}-\d{2}-\d{2}\s(?P<beginTime>\d{2}:\d{2}:\d{2})"

View solution in original post

Reply
Solved! Jump to solution
Solution

vnravikumar
Champion
‎12-03-2019 06:47 PM

Hi

Try this

| makeresults 
| eval temp="2019-12-03 14:20:55,679 ------------------ Begin Request -----------------" 
| rex field=temp "\d{4}-\d{2}-\d{2}\s(?P<beginTime>\d{2}:\d{2}:\d{2})"
Reply
Solved! Jump to solution

shwetamis
Explorer
‎12-04-2019 06:14 AM

Thank you this one worked.

0 Karma
Reply
Solved! Jump to solution

shwetamis
Explorer
‎12-04-2019 06:16 AM

Also I don't want to hardcode the time in the search, as it is not for one transaction, how to I do that ?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-03-2019 02:25 PM

Like this:

... | eval begin=strptime(_raw, "%Y-%m-%d %H:%M:%S,%3N")
0 Karma
Reply
Solved! Jump to solution

shwetamis
Explorer
‎12-04-2019 06:18 AM

is _raw field that hold values of time ? if so then it returns raw data it doesn't return the time

0 Karma
Reply
Solved! Jump to solution

aberkow
Builder
‎12-03-2019 01:12 PM

If you're sure that is the raw format for all of your logs, you can write a simple regex leveraging the rex command https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Rex#Syntax. Rough example syntax below:

{code}
| makeresults count=1
| eval _raw="2019-12-03 14:20:55,679 ------------------ Begin Request -----------------"
| rex field=_raw ".\s(?.),.*"

{code}

If you run this code, you can see that I generate a similar event to the line you posted above, and then run the rex command with a capturing group around "timeStamp", which is anything after the first whitespace up until the first comma. For your case you don't need to generate the _raw field as that is just a representation of the log you already have on your machine.

Why I call this "rough" syntax is you want to make sure the regex works for all of your log formats, so this means either running it against multiple logs and making sure that the timeStamp field is always populated or iterating on the regex (I like regex101.com for that, it has a workspace and good tips on the side) since you will have access to more log information than me. In general, using the rex command is a great way to extract information from a string in Splunk though!

Hope this helps!

0 Karma
Reply
Solved! Jump to solution

shwetamis
Explorer
‎12-04-2019 06:16 AM

I don't want to hardcode the time, as I am searching for multiple transactions

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...