Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Get the specific string from the line

harshal_chakran
Builder
‎10-08-2013 02:12 AM

Hi,
I wanted to know is it possible to get a string at specific location from a line.

for e.g.
My line is:

STEP LOGVAL      error_Func_value/error function value      10:04:06.085         doorstep: get the directive

Now I want to show this string "10:04:06.085" as my result.

Please help.

Tags (2)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-08-2013 02:27 AM

Is this what your actual log looks like? How are the pieces of information separated? Multiple spaces? tabs?

Assuming you have a separator of 6 spaces, like in your sample above, you can extract the the time information into a field called TimeStamp like this;

your base search | rex "\s{6}(?<TimeStamp>\d\d:\d\d:\d\d\.\d\d\d)\s{6}" | the rest of your search

Hope this helps,

K

0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-08-2013 06:24 AM

"highlights the sourcetype"? I don't understand. Try this, somewhat shorter regex;

...| rex "\s{3,}(?<TimeStamp>[0-9.:]+)\s{3,}" | table TimeStamp

The last table command is just for verification purposes. Remove it if the extraction works.

0 Karma
Reply

harshal_chakran
Builder
‎10-08-2013 05:27 AM

Hi,
Thanks for the help.
But when I run this query, it highlights only the sourcetype, and what I want is to get that timestamp at output. I have tried to tweak the query, but couldn't succeed.

And the pieces of information is separated by multiple spaces.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...