Splunk Search

How to remove the dynamic date and time from the incoming raw data and get the count

aaa2324
Explorer

How to compare the incoming data with dynamic date and time with the lookup table, example

i have incoming data in below format where the date and time keeps changing for every new entry

*abc -04/30 08:14:07 - c

*abc -04/30 08:03:20 -c

*abc -04/29 07:06:22 -c

and so on, I have to consolidate all the above data excluding the date and time and need to count how many times it is occurring. In my lookup table I have the same data in below format.

*abc -mm/dd hh:mm:ss -c

*abc -mm/dd hh:mm:ss-c

is there a way to get the desired results. ? Kindly advise 

Labels (2)
0 Karma

aaa2324
Explorer

Thanks how to change the script if there is comma in the middle

*abc -04/30, 08:14:07 - c

0 Karma

manjunathmeti
Champion

You add comma in the regex.

| rex mode=sed "s/\d{2}\/\d{2},?\s\d{2}:\d{2}:\d{2}//g"
0 Karma

manjunathmeti
Champion

You can use rex to remove the date time in the raw data.

| rex mode=sed "s/\d{2}\/\d{2}\s\d{2}:\d{2}:\d{2}//g"
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...