Hi Team - Need your expertise in Regex.
The below is the rawlog i need to extract the Date and time the only unique is the WORD "START" & "END" goal is to find the response time between START and END in a Table format.
Note: there are no space in the log
START</enteringExiting><logLevel>INFO</logLevel><messageType>LOG</messageType><applicationName>GstarSOA</applicationName<programName>GstarRecipientService_MF</programName><functionName>GetRecipient</functionName><host>PerfNode0</host><messageDetails>2022-06-17 04:10:53/utility/logging"><enteringExiting>END</enteringExiting><logLevel>INFO</logLevel><messageType>LOG</messageType><applicationName>GstarSOA</applicationName><programName>GstarRecipientService_MF</programName<functionName>GetRecipient</functionName><host>PerfNode0</host><messageDetails>2022-06-17 04:10:53
HI @kc_prane,
if the shared sample is in one event, you could use the following regex:
| rex "START.*messageDetails\>(?<Start_Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\/.*END.*messageDetails\>(?<End_ate>\d+-\d+-\d+\s+\d+:\d+:\d+)"
that you can test at https://regex101.com/r/moeIVB/1
If instead you have two events, you can separate the above regex in two regexes.
Ciao.
Giuseppe
HI @kc_prane,
if the shared sample is in one event, you could use the following regex:
| rex "START.*messageDetails\>(?<Start_Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\/.*END.*messageDetails\>(?<End_ate>\d+-\d+-\d+\s+\d+:\d+:\d+)"
that you can test at https://regex101.com/r/moeIVB/1
If instead you have two events, you can separate the above regex in two regexes.
Ciao.
Giuseppe
Thanks Gcusello !
i modifed your solutiion it worked.
| rex "START.*messageDetails\>(?<Start_Date>\d+\-\d+\-\d+\s+\d+\:\d+\:\d+)" | rex "END.*messageDetails\>(?<End_Date>\d+\-\d+\-\d+\s+\d+\:\d+\:\d+)"
Hi @kc_prane,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @gcucello
Can you also help me how to seperate the date and time in the regex. Cause i wanted to find the difference between Start_time and End_time
| rex "START.*messageDetails\>(?<Start_Date>\d+\-\d+\-\d+\s+\d+\:\d+\:\d+)"
My results : 2022-06-17 03:49:46
Hi @gcucello - No worries I got the solution, thanks a lot
| rex "START.*messageDetails\>\d+\-\d+\-\d+\s+(?<Start_Time>\d+\:\d+\:\d+)" | rex "END.*messageDetails\>\d+\-\d+\-\d+\s+(?<End_Time>\d+\:\d+\:\d+)"
| eval ST = Strptime(Start_Time, "%H:%M:%S.%3N")
| eval ET = Strptime(End_Time, "%H:%M:%S.%3N")
| eval ResponseTime = tostring((ET -ST), "duration")
| table _time host tag::host Start_Time End_Time ResponseTime
@kc_prane
Hi
Would you give me an example of your expected result ?
how do you calculate response time between start and end ? with messageDetails?
Hi Marysan - Thanks for the reply, i got the solution
| rex "START.*messageDetails\>\d+\-\d+\-\d+\s+(?<Start_Time>\d+\:\d+\:\d+)" | rex "END.*messageDetails\>\d+\-\d+\-\d+\s+(?<End_Time>\d+\:\d+\:\d+)"
| eval ST = Strptime(Start_Time, "%H:%M:%S.%3N")
| eval ET = Strptime(End_Time, "%H:%M:%S.%3N")
| eval ResponseTime = tostring((ET -ST), "duration")
| table _time host tag::host Start_Time End_Time ResponseTime