Solved: How to use multiple numbers in search?

ipteam · ‎01-23-2023

Hello Guys,

I'd like to create a search based on business hours, and like to use a field with value like this:

"2023/01/20 08:52:58"

The bold number would be interesting, and like to search with multiple values. example 08-18h [08,09,10,11,12,13,14,15,16,17,18]

How could I find a regex to extract theese numbers?

thanks a lot!

jamie00171 · ‎01-23-2023

Hi @ipteam,

Something like this should work for you:

<your search goes here>
| rex field=<insert field name that contains timestamp here> "(?<year>\d{4})\/(?<month>\d{2})\/(?<day>\d{2})\s+(?<hour>\d{2})\:(?<minutes>\d{2})\:(?<seconds>\d{2})"

Thanks,

Jamie

View solution in original post

PaulPanther · ‎01-23-2023

@ipteam You shouldn't need a field extraction. Splunk parses the timestamp into multiple fields like date_hour.

Sample search:

index=_internal
| where date_hour>07 AND date_hour<19

PickleRick · ‎01-23-2023

Those time fields are tricky because:

1) They might not get extracted at all

2) They represent the timestamp parts as included in the raw event. So if the original event included some exotic timezone, those fields will be in that timezone.

ipteam · ‎01-23-2023

Yes, would be great, but this filed is not equal to the generated time of the log. Unfortunatly it's a custom one.
Also interested in the regex what splits _time filed to day,hour.. and so on.

jamie00171 · ‎01-23-2023

Hi @ipteam,

Something like this should work for you:

<your search goes here>
| rex field=<insert field name that contains timestamp here> "(?<year>\d{4})\/(?<month>\d{2})\/(?<day>\d{2})\s+(?<hour>\d{2})\:(?<minutes>\d{2})\:(?<seconds>\d{2})"

Thanks,

Jamie

ipteam · ‎01-23-2023

Hello Jamie,

Works, thanks a lot!

How to use multiple numbers in search?

rex

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?