Is this what your actual log looks like? How are the pieces of information separated? Multiple spaces? tabs?
Assuming you have a separator of 6 spaces, like in your sample above, you can extract the the time information into a field called TimeStamp like this;
your base search | rex "\s{6}(?<TimeStamp>\d\d:\d\d:\d\d\.\d\d\d)\s{6}" | the rest of your search
Hope this helps,
K
"highlights the sourcetype"? I don't understand. Try this, somewhat shorter regex;
...| rex "\s{3,}(?<TimeStamp>[0-9.:]+)\s{3,}" | table TimeStamp
The last table
command is just for verification purposes. Remove it if the extraction works.
Hi,
Thanks for the help.
But when I run this query, it highlights only the sourcetype, and what I want is to get that timestamp at output. I have tried to tweak the query, but couldn't succeed.
And the pieces of information is separated by multiple spaces.