Splunk Search

How to extract a string from an event?

Explorer

Hello, I am very new to Splunk and I would like some help in doing this.

I need to extract from this field:
Event
1 hour ago, vmpit-p4cti002.lm.lmig.com, windows 6.3.9600.

and then check if it is less > 4 hours

I've been going through some answers and I, unfortunately, can't find the right one.

Thank you so much for any assistance.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try:

| rex "(?<Time>\d{1,2})\s+hour\s+ago" | where Time < 4

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Try:

| rex "(?<Time>\d{1,2})\s+hour\s+ago" | where Time < 4

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

I offer a slight modification to allow for "2 hours ago".

| rex "(?<Time>\d{1,2})\s+hours?\s+ago" | where Time < 4

---
If this reply helps you, an upvote would be appreciated.

Explorer

thank you so much mayurr98 and richgalloway. i will try the code.

0 Karma