Re: How do I write a regex for a date with the tim...

PCIIT · ‎11-25-2018

I need to help writing the regex for date format with time zone.

log format :

11 Sep 2018 18:40:42 (GMT +0200) Info:  receive.

regex :

^\d{2}\s\w{3}\s\d{4}\s(\d{2}:\d{2}:\d{2})\s\d{4}\s
how to add  (GMT +0200) in regex

========================================
Why am I not able to extract a field for this regex? I can see parsing is happening but I am unable to extract the field

Log format:

11 Sep 2018 18:40:42 (GMT +0200) Info:  Retrospective verdict received.

SHA256: e989ecc7781f025c4ae73dc53953010e54828bf36d94a1e8db2e2254ba19eaa3
Timestamp: 1536684042.09
Verdict: MALICIOUS
Reputation Score: 0
Spyname: W32.E989ECC778-95.SBX.TG

REGEX :

^\d{2}\s\w{3}\s\d{4}\s(\d{2}:\d{2}:\d{2})\s\(\w{3}\s\+\d{4}\)\s([^:]+):\s{1,2}(Retrospective verdict received)\.\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^:]+):\s([^\s]+)

Why am I not able to see a field extraction for this ?

woodcock · ‎12-03-2018

This RegEx works:

^\d{2}\s+\w{3}\s*\d{4}\s+(\d{2}:\d{2}:\d{2})\s*\(\S+\s*\+?\d{4}\)

But why do you care? Why are you not just using this:

TIME_PREFIX = ^
TIME_FORMAT = %d %b %Y %H:%M:%S (%Z)

skalliger · ‎11-27-2018

Hi,

why would you want to make it more complicated than it needs to be? You can simply define TIME_FORMAT in your props.conf, which makes it really simple.
11 Sep 2018 18:40:42 becomes

TIME_FORMAT = %d %b %Y %H:%M:%S

..and due to the parenthesis around the "GMT+0200" I would also set the

TZ = your timezone

for the same sourcetype.

Edit: Oh, I really forgot to mention to set TIME_PREFIX also.
Something easy like this:

TIME_PREFIX = (?:^\d+\s+\w+\s+\d+\s+(\d+\:){2}\d+)

Skalli

PCIIT · ‎11-27-2018

we are using different-2 time format in our log. for example
1)11 Sep 2018 18:40:42 (GMT +0200)
2) Mon Sep 24 10:40:03 2018

will it work ?

skalliger · ‎11-28-2018

You could have mentioned that earlier. 🙂
Two different time formats in the same log? That's unusual. If you got different logs with different time formats, put them into different sourcetypes and adjust the TIME_FORMAT accordingly.

Skalli

ddrillic · ‎11-25-2018

Please try - ^\d{2}\s\w{3}\s\d{4}\s(\d{2}:\d{2}:\d{2})\s\(\w{3}\s\+\d{4}\).

laurie_gellatly · ‎11-25-2018

^\d{2}\s\w{3}\s\d{4}\s(\d{2}:\d{2}:\d{2})\s\(\w{3}\s(\+|-)\d{4}\)

as you should really allow for the time zone to be negative
Not sure why you want the hours,minutes and seconds to be captured?

MathiasLindblom · ‎11-27-2018

You should probably also make it the timestamp a capture group if you want to extract the field - using the regex @laurie_gellatly made, this will make a searchable field called DateTime:

    ^(?P<DateTime>\d{2}\s\w{3}\s\d{4}\s\d{2}:\d{2}:\d{2}\s\(\w{3}\s(?:\+|-)\d{4}\))

How do I write a regex for a date with the time zone, and why i am not able to extract the following field?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?