Solved: How to use multiple numbers in search?

ipteam · ‎01-23-2023

Hello Guys,

I'd like to create a search based on business hours, and like to use a field with value like this:

"2023/01/20 08:52:58"

The bold number would be interesting, and like to search with multiple values. example 08-18h [08,09,10,11,12,13,14,15,16,17,18]

How could I find a regex to extract theese numbers?

thanks a lot!

jamie00171 · ‎01-23-2023

Hi @ipteam,

Something like this should work for you:

<your search goes here>
| rex field=<insert field name that contains timestamp here> "(?<year>\d{4})\/(?<month>\d{2})\/(?<day>\d{2})\s+(?<hour>\d{2})\:(?<minutes>\d{2})\:(?<seconds>\d{2})"

Thanks,

Jamie

View solution in original post

PaulPanther · ‎01-23-2023

@ipteam You shouldn't need a field extraction. Splunk parses the timestamp into multiple fields like date_hour.

Sample search:

index=_internal
| where date_hour>07 AND date_hour<19

PickleRick · ‎01-23-2023

Those time fields are tricky because:

1) They might not get extracted at all

2) They represent the timestamp parts as included in the raw event. So if the original event included some exotic timezone, those fields will be in that timezone.

ipteam · ‎01-23-2023

Yes, would be great, but this filed is not equal to the generated time of the log. Unfortunatly it's a custom one.
Also interested in the regex what splits _time filed to day,hour.. and so on.

jamie00171 · ‎01-23-2023

Hi @ipteam,

Something like this should work for you:

<your search goes here>
| rex field=<insert field name that contains timestamp here> "(?<year>\d{4})\/(?<month>\d{2})\/(?<day>\d{2})\s+(?<hour>\d{2})\:(?<minutes>\d{2})\:(?<seconds>\d{2})"

Thanks,

Jamie

ipteam · ‎01-23-2023

Hello Jamie,

Works, thanks a lot!

How to use multiple numbers in search?

rex

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation