Splunk Search

Using Rex command to extract time duration in hh:mm:ss

harshparikhxlrd
Path Finder

Hello, I am trying to extract data, specifically time data in hh:mm:ss:nn format and put it on a table. When I do, I get no results to show up on my code.

0 Karma

to4kawa
Ultra Champion
| makeresults
| eval _raw="11/05/2019 10:21:04 AM
LogName=Application
SourceName=RoboticLogging
EventCode=0
EventType=4
Type=Information
ComputerName=WTWFBVZP.UNITOPR.UNITINT.TEST.STATEFARM.ORG
TaskCategory=%1
OpCode=Info
RecordNumber=51614
Keywords=Classic
Message=<Robotics Workstation=\"WTWFBVZP\" UserID=\"UNTOPR\OE1OTD\" Department=\"HRSS_NEO\" TaskID=\"Daily NEO Report\" Automation=\"NEO_P_SplunkMetrics\" Message=\"Number of supervisor reminder memos sent: 6,Number of New Employees in NEO Report without job title Temporary Agy Svc Asst: 988,Number of New Employees in NEO Report with job title Temporary Agy Svc Asst: 23,Duration: 00:01:50.5270509\" AdditionalInfo1=\"NA\" AdditionalInfo2=\"NA\""
| kv
| eval _time=mvindex(split(_raw,"
"),0)
| eval _time=strptime(_time,"%m/%d/%Y %T %p")
| fieldformat _time=strftime(_time,"%m/%d/%Y %T %p")
| rex "Message=\"(?<Message>[^\"]+)\""
| table _time LogName SourceName EventCode EventType Type ComputerName TaskCategory OpCode RecordNumber Keywords
,Workstation UserID Department TaskID Automation Message AdditionalInfo1 AdditionalInfo2
| appendpipe 
    [eval _raw = Message
    | eval _raw = replace(_raw,"(\d+:\d+:\d+\.\d+)","\"\1\"")
    | extract pairdelim="," kvdelim=":"
    | fields - _raw]
    | selfjoin Message

Hi, folks.
That's all?

0 Karma

marycordova
SplunkTrust
SplunkTrust

Try this for help: https://regex101.com/

@marycordova
0 Karma

marycordova
SplunkTrust
SplunkTrust

post a sample of your data please

@marycordova

harshparikhxlrd
Path Finder

Added my data sample to post.

0 Karma

marycordova
SplunkTrust
SplunkTrust

can you just post it to your question?

@marycordova
0 Karma

harshparikhxlrd
Path Finder

I can't. It won't let me post the whole data.

0 Karma

harshparikhxlrd
Path Finder
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...