Splunk Search

How do I write a regex for a date with the time zone, and why i am not able to extract the following field?

PCIIT
New Member

I need to help writing the regex for date format with time zone.

log format :

11 Sep 2018 18:40:42 (GMT +0200) Info:  receive.

regex :

^\d{2}\s\w{3}\s\d{4}\s(\d{2}:\d{2}:\d{2})\s\d{4}\s
how to add  (GMT +0200) in regex 

========================================
Why am I not able to extract a field for this regex? I can see parsing is happening but I am unable to extract the field

Log format:

11 Sep 2018 18:40:42 (GMT +0200) Info:  Retrospective verdict received.

SHA256: e989ecc7781f025c4ae73dc53953010e54828bf36d94a1e8db2e2254ba19eaa3
Timestamp: 1536684042.09
Verdict: MALICIOUS
Reputation Score: 0
Spyname: W32.E989ECC778-95.SBX.TG

REGEX :

^\d{2}\s\w{3}\s\d{4}\s(\d{2}:\d{2}:\d{2})\s\(\w{3}\s\+\d{4}\)\s([^:]+):\s{1,2}(Retrospective verdict received)\.\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^:]+):\s([^\s]+)

Why am I not able to see a field extraction for this ?

0 Karma

woodcock
Esteemed Legend

This RegEx works:

^\d{2}\s+\w{3}\s*\d{4}\s+(\d{2}:\d{2}:\d{2})\s*\(\S+\s*\+?\d{4}\)

But why do you care? Why are you not just using this:

TIME_PREFIX = ^
TIME_FORMAT = %d %b %Y %H:%M:%S (%Z)
0 Karma

skalliger
SplunkTrust
SplunkTrust

Hi,

why would you want to make it more complicated than it needs to be? You can simply define TIME_FORMAT in your props.conf, which makes it really simple.
11 Sep 2018 18:40:42 becomes

TIME_FORMAT = %d %b %Y %H:%M:%S

..and due to the parenthesis around the "GMT+0200" I would also set the

TZ = your timezone

for the same sourcetype.

Edit: Oh, I really forgot to mention to set TIME_PREFIX also.
Something easy like this:

TIME_PREFIX = (?:^\d+\s+\w+\s+\d+\s+(\d+\:){2}\d+)

Skalli

0 Karma

PCIIT
New Member

we are using different-2 time format in our log. for example
1)11 Sep 2018 18:40:42 (GMT +0200)
2) Mon Sep 24 10:40:03 2018

will it work ?

0 Karma

skalliger
SplunkTrust
SplunkTrust

You could have mentioned that earlier. 🙂
Two different time formats in the same log? That's unusual. If you got different logs with different time formats, put them into different sourcetypes and adjust the TIME_FORMAT accordingly.

Skalli

0 Karma

ddrillic
Ultra Champion

Please try - ^\d{2}\s\w{3}\s\d{4}\s(\d{2}:\d{2}:\d{2})\s\(\w{3}\s\+\d{4}\).

0 Karma

laurie_gellatly
Communicator
^\d{2}\s\w{3}\s\d{4}\s(\d{2}:\d{2}:\d{2})\s\(\w{3}\s(\+|-)\d{4}\)

as you should really allow for the time zone to be negative
Not sure why you want the hours,minutes and seconds to be captured?

MathiasLindblom
Path Finder

You should probably also make it the timestamp a capture group if you want to extract the field - using the regex @laurie_gellatly made, this will make a searchable field called DateTime:

    ^(?P<DateTime>\d{2}\s\w{3}\s\d{4}\s\d{2}:\d{2}:\d{2}\s\(\w{3}\s(?:\+|-)\d{4}\))
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...