bullet points in date value and can't strptime()

smahoney · ‎06-11-2020

For some reason there are invisible bullet points being extracted from the windows event message and I cant seem to be able to remove them to use it as a time.

The date gets extracted as the image below and prevents me from using it as a dateTime. How do you strip those out?

The previous system shutdown at 10:48:10 AM on ‎6/‎11/‎2020 was unexpected.

| rex field=Message "(?i)at\s(?P<shutdown_time>[^\s].+)\son\s(?P<shutdown_date>[^\s]+)"
| eval shutdownAt=shutdown_date+" "+shutdown_time
| eval shutdownepoch=strptime(shutdownAt,"%e/%d/%Y %I:%M:%S %p")

This is unable to to assign shutdownepoch

ChrisH · ‎06-11-2020

Doing an extra rex on the date field to split out the date parts should work. I tested it using the following SPL and it appeared to work.

| makeresults
| eval Message="The previous system shutdown at 10:48:10 AM on <u+200e>6/<u+200e>11/<u+200e>2020 was unexpected."
| rex field=Message "(?i)at\s(?P<lt;keresults
| eval Mshutdown_time
| eval Message="The >gt;down_time
| eval M[^\s].+)\son\s(?Pval Message="The prev<lt;].+)\son\s(?Pval Mshutdown_dates(?Pval Message="The >gt;down_dates(?Pval M[^\s]+)"
| rex field=shutdown_date "(?ious system shutdown <lt;]+)"
| rex field=smonth+)"
| rex field=shutd>gt;h+)"
| rex field=s\d{1,2})\/.(?x field=shutdown_date<lt;,2})\/.(?x field=sday;,2})\/.(?x field=shu>gt;,2})\/.(?x field=s\d{1,2})\/.(?x field=shutdown_date<lt;,2})\/.(?x field=syear,2})\/.(?x field=shut>gt;,2})\/.(?x field=s\d{4}).*"
| eval shutdownAt=month + "/" + day + "/" + year +" "+shutdown_time
| eval shutdownepoch=strptime(shutdownAt,"%m/%d/%Y %I:%M:%S %p")
| table Message, shutdown_time, shutdown_date, shutdownAt, shutdownepoch, month, day, year

bullet points in date value and can't strptime()

field extraction

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All