Solved: How to extract a string from an event?

owie6466 · ‎08-07-2019

Hello, I am very new to Splunk and I would like some help in doing this.

I need to extract from this field:
Event
1 hour ago, vmpit-p4cti002.lm.lmig.com, windows 6.3.9600.

and then check if it is less > 4 hours

I've been going through some answers and I, unfortunately, can't find the right one.

Thank you so much for any assistance.

mayurr98 · ‎08-07-2019

Try:

| rex "(?<Time>\d{1,2})\s+hour\s+ago" | where Time < 4

View solution in original post

mayurr98 · ‎08-07-2019

Try:

| rex "(?<Time>\d{1,2})\s+hour\s+ago" | where Time < 4

richgalloway · ‎08-07-2019

I offer a slight modification to allow for "2 hours ago".

| rex "(?<Time>\d{1,2})\s+hours?\s+ago" | where Time < 4

---
If this reply helps you, Karma would be appreciated.

owie6466 · ‎08-07-2019

thank you so much mayurr98 and richgalloway. i will try the code.

How to extract a string from an event?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

How to extract a string from an event?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES