Splunk Search

How to extract values of time in **:**:** format from a raw event and add them as a separate field by name?

Renunaren
Loves-to-Learn Everything

"timestamp": "2023-05-12T10:41:28.479211Z", "level": "INFO", "filename": "splunk_sample_csv.py", "funcName": "main", "lineno": 38, "message": "Dataframe row : {\"_c0\":{\"0\":\"Linux\",\"1\":\"00:00:01\",\"2\":\"00:10:01\",\"3\":\"00:20:01\",\"4\":\"00:30:01\",\"5\":\"00:40:01\",\"6\":\"00:50:01\",\"7\":\"01:00:01\",\"8\":\"01:10:01\",\"9\":\"01:20:01\",\"10\":\"01:30:02\",\"11\":\"01:40:01\",\"12\":\"01:50:01\",\"13\":\"02:00:01\",\"14\":\"02:10:01\",\"15\":\"02:20:02\",\"16\":\"02:30:01\",\"17\":\"02:40:01\",\"18\":\"02:50:01\",\"19\":\"03:00:01\",\"20\":\"03:10:01\",\"21\":\"03:20:01\",\"22\":\"03:30:01\",\"23\":\"03:40:01\",\"24\":\"03:50:01\",\"25\":\"04:00:01\",\"26\":\"04:10:01\",\"27\":\"04:20:02\",\"28\":\"04:30:01\",\"29\":\"04:40:01\",\"30\":\"04:50:01\",\"31\":\"05:00:01\",\"32\":\"05:10:01\",\"33\":\"05:20:02\",\"34\":\"05:30:01\",\"35\":\"05:40:01\",\"36\":\"05:50:01\",\"37\":\"06:00:01\",\"38\":\"06:10:01\",\"39\":\"06:20:01\",\"40\":\"06:30:01\",\"41\":\"06:40:01\",\"42\":\"06:50:01\",\"43\":\"07:00:01\",\"44\":\"07:10:01\",\"45\":\"07:20:01\",\"46\":\"07:30:01\",\"47\":\"07:40:01\",\"48\":\"07:50:02\",\"49\":\"08:00:01\",\"50\":\"08:10:01\",\"51\":\"08:20:01\",\"52\":\"08:30:01\",\"53\":\"08:40:01\",\"54\":\"08:50:01\",\"55\":\"09:00:01\",\"56\":\"09:10:01\",\"57\":\"09:20:01\",\"58\":\"09:30:01\",\"59\":\"09:40:01\",\"60\":\"09:50:01\",\"61\":\"10:00:01\",\"62\":\"10:10:01\",\"63\":\"10:20:01\"

 

Hi Team,

We have a sample event like above we have to extract the time values which are in the format **:**:** in the above event and add them to a new field called TIME. Please help us on this issue.

Labels (1)
0 Karma

Renunaren
Loves-to-Learn Everything

Hi Ciao,

Thanks for your reply. I have tried to use the above given rex command but it hasn't worked in extraction of the TIME Value and add that as a field.

Please help us on this please.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Splunk deals with backslashes differently to regex101.com, also, you might want multiple occurrences dealt with. Try something like this:

| rex max_match=0 ":\\\\\"(?<TIME>\d\d:\d\d:\d\d)"

Renunaren
Loves-to-Learn Everything

Thank You @ITWhisperer, it has worked.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Renunaren,

yes, as you required, using the above rex you extract the values as field "TIME",

probably I didn't understand your requirement: what do you want to extract?

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Renunaren,

if you want to extract the TIME values from the content of your events you could use a regex like this:

| rex ":\\\"(?<TIME>\d\d:\d\d:\d\d)"

that you can test at https://regex101.com/r/S7loz7/1

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...