Splunk Search

bullet points in date value and can't strptime()

smahoney
Path Finder

For some reason there are invisible bullet points being extracted from the windows event message and I cant seem to be able to remove them to use it as a time.

The date gets extracted as the image below and prevents me from using it as a dateTime.  How do you strip those out?

The previous system shutdown at 10:48:10 AM on ‎6/‎11/‎2020 was unexpected.

| rex field=Message "(?i)at\s(?P<shutdown_time>[^\s].+)\son\s(?P<shutdown_date>[^\s]+)"
| eval shutdownAt=shutdown_date+" "+shutdown_time
| eval shutdownepoch=strptime(shutdownAt,"%e/%d/%Y %I:%M:%S %p")

This is unable to to assign shutdownepoch

smahoney_0-1591891748789.png

 

Labels (1)
Tags (1)
0 Karma

ChrisH
Explorer

Doing an extra rex on the date field to split out the date parts should work.  I tested it using the following SPL and it appeared to work.

| makeresults
| eval Message="The previous system shutdown at 10:48:10 AM on <u+200e>6/<u+200e>11/<u+200e>2020 was unexpected."
| rex field=Message "(?i)at\s(?P<lt;keresults
| eval Mshutdown_time
| eval Message="The >gt;down_time
| eval M[^\s].+)\son\s(?Pval Message="The prev<lt;].+)\son\s(?Pval Mshutdown_dates(?Pval Message="The >gt;down_dates(?Pval M[^\s]+)"
| rex field=shutdown_date "(?ious system shutdown <lt;]+)"
| rex field=smonth+)"
| rex field=shutd>gt;h+)"
| rex field=s\d{1,2})\/.(?x field=shutdown_date<lt;,2})\/.(?x field=sday;,2})\/.(?x field=shu>gt;,2})\/.(?x field=s\d{1,2})\/.(?x field=shutdown_date<lt;,2})\/.(?x field=syear,2})\/.(?x field=shut>gt;,2})\/.(?x field=s\d{4}).*"
| eval shutdownAt=month + "/" + day + "/" + year +" "+shutdown_time
| eval shutdownepoch=strptime(shutdownAt,"%m/%d/%Y %I:%M:%S %p")
| table Message, shutdown_time, shutdown_date, shutdownAt, shutdownepoch, month, day, year

 

Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...