Solved: How to extract a string from an event?

owie6466 · ‎08-07-2019

Hello, I am very new to Splunk and I would like some help in doing this.

I need to extract from this field:
Event
1 hour ago, vmpit-p4cti002.lm.lmig.com, windows 6.3.9600.

and then check if it is less > 4 hours

I've been going through some answers and I, unfortunately, can't find the right one.

Thank you so much for any assistance.

mayurr98 · ‎08-07-2019

Try:

| rex "(?<Time>\d{1,2})\s+hour\s+ago" | where Time < 4

View solution in original post

mayurr98 · ‎08-07-2019

Try:

| rex "(?<Time>\d{1,2})\s+hour\s+ago" | where Time < 4

richgalloway · ‎08-07-2019

I offer a slight modification to allow for "2 hours ago".

| rex "(?<Time>\d{1,2})\s+hours?\s+ago" | where Time < 4

---
If this reply helps you, Karma would be appreciated.

owie6466 · ‎08-07-2019

thank you so much mayurr98 and richgalloway. i will try the code.

How to extract a string from an event?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation