Splunk Search

Get the specific string from the line

harshal_chakran
Builder

Hi,
I wanted to know is it possible to get a string at specific location from a line.

for e.g.
My line is:

STEP LOGVAL      error_Func_value/error function value      10:04:06.085         doorstep: get the directive

Now I want to show this string "10:04:06.085" as my result.

Please help.

Tags (2)
0 Karma

kristian_kolb
Ultra Champion

Is this what your actual log looks like? How are the pieces of information separated? Multiple spaces? tabs?

Assuming you have a separator of 6 spaces, like in your sample above, you can extract the the time information into a field called TimeStamp like this;

your base search | rex "\s{6}(?<TimeStamp>\d\d:\d\d:\d\d\.\d\d\d)\s{6}" | the rest of your search

Hope this helps,

K

0 Karma

kristian_kolb
Ultra Champion

"highlights the sourcetype"? I don't understand. Try this, somewhat shorter regex;

...| rex "\s{3,}(?<TimeStamp>[0-9.:]+)\s{3,}" | table TimeStamp

The last table command is just for verification purposes. Remove it if the extraction works.

0 Karma

harshal_chakran
Builder

Hi,
Thanks for the help.
But when I run this query, it highlights only the sourcetype, and what I want is to get that timestamp at output. I have tried to tweak the query, but couldn't succeed.

And the pieces of information is separated by multiple spaces.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...