- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I write a regex for a date with the time zone, and why i am not able to extract the following field?
I need to help writing the regex for date format with time zone.
log format :
11 Sep 2018 18:40:42 (GMT +0200) Info: receive.
regex :
^\d{2}\s\w{3}\s\d{4}\s(\d{2}:\d{2}:\d{2})\s\d{4}\s
how to add (GMT +0200) in regex
========================================
Why am I not able to extract a field for this regex? I can see parsing is happening but I am unable to extract the field
Log format:
11 Sep 2018 18:40:42 (GMT +0200) Info: Retrospective verdict received.
SHA256: e989ecc7781f025c4ae73dc53953010e54828bf36d94a1e8db2e2254ba19eaa3
Timestamp: 1536684042.09
Verdict: MALICIOUS
Reputation Score: 0
Spyname: W32.E989ECC778-95.SBX.TG
REGEX :
^\d{2}\s\w{3}\s\d{4}\s(\d{2}:\d{2}:\d{2})\s\(\w{3}\s\+\d{4}\)\s([^:]+):\s{1,2}(Retrospective verdict received)\.\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^:]+):\s([^\s]+)
Why am I not able to see a field extraction for this ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This RegEx works:
^\d{2}\s+\w{3}\s*\d{4}\s+(\d{2}:\d{2}:\d{2})\s*\(\S+\s*\+?\d{4}\)
But why do you care? Why are you not just using this:
TIME_PREFIX = ^
TIME_FORMAT = %d %b %Y %H:%M:%S (%Z)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
why would you want to make it more complicated than it needs to be? You can simply define TIME_FORMAT in your props.conf, which makes it really simple.
11 Sep 2018 18:40:42 becomes
TIME_FORMAT = %d %b %Y %H:%M:%S
..and due to the parenthesis around the "GMT+0200" I would also set the
TZ = your timezone
for the same sourcetype.
Edit: Oh, I really forgot to mention to set TIME_PREFIX also.
Something easy like this:
TIME_PREFIX = (?:^\d+\s+\w+\s+\d+\s+(\d+\:){2}\d+)
Skalli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we are using different-2 time format in our log. for example
1)11 Sep 2018 18:40:42 (GMT +0200)
2) Mon Sep 24 10:40:03 2018
will it work ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could have mentioned that earlier. 🙂
Two different time formats in the same log? That's unusual. If you got different logs with different time formats, put them into different sourcetypes and adjust the TIME_FORMAT accordingly.
Skalli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please try - ^\d{2}\s\w{3}\s\d{4}\s(\d{2}:\d{2}:\d{2})\s\(\w{3}\s\+\d{4}\).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
^\d{2}\s\w{3}\s\d{4}\s(\d{2}:\d{2}:\d{2})\s\(\w{3}\s(\+|-)\d{4}\)
as you should really allow for the time zone to be negative
Not sure why you want the hours,minutes and seconds to be captured?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should probably also make it the timestamp a capture group if you want to extract the field - using the regex @laurie_gellatly made, this will make a searchable field called DateTime:
^(?P<DateTime>\d{2}\s\w{3}\s\d{4}\s\d{2}:\d{2}:\d{2}\s\(\w{3}\s(?:\+|-)\d{4}\))
