Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a string from an event?

owie6466
Explorer
‎08-07-2019 12:30 PM

Hello, I am very new to Splunk and I would like some help in doing this.

I need to extract from this field:
Event
1 hour ago, vmpit-p4cti002.lm.lmig.com, windows 6.3.9600.

and then check if it is less > 4 hours

I've been going through some answers and I, unfortunately, can't find the right one.

Thank you so much for any assistance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎08-07-2019 12:51 PM

Try:

| rex "(?<Time>\d{1,2})\s+hour\s+ago" | where Time < 4

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎08-07-2019 12:51 PM

Try:

| rex "(?<Time>\d{1,2})\s+hour\s+ago" | where Time < 4
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-07-2019 12:55 PM

I offer a slight modification to allow for "2 hours ago".

| rex "(?<Time>\d{1,2})\s+hours?\s+ago" | where Time < 4

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

owie6466
Explorer
‎08-07-2019 01:25 PM

thank you so much mayurr98 and richgalloway. i will try the code.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...