Splunk Search

bullet points in date value and can't strptime()


For some reason there are invisible bullet points being extracted from the windows event message and I cant seem to be able to remove them to use it as a time.

The date gets extracted as the image below and prevents me from using it as a dateTime.  How do you strip those out?

The previous system shutdown at 10:48:10 AM on ‎6/‎11/‎2020 was unexpected.

| rex field=Message "(?i)at\s(?P<shutdown_time>[^\s].+)\son\s(?P<shutdown_date>[^\s]+)"
| eval shutdownAt=shutdown_date+" "+shutdown_time
| eval shutdownepoch=strptime(shutdownAt,"%e/%d/%Y %I:%M:%S %p")

This is unable to to assign shutdownepoch



Labels (1)
Tags (1)
0 Karma


Doing an extra rex on the date field to split out the date parts should work.  I tested it using the following SPL and it appeared to work.

| makeresults
| eval Message="The previous system shutdown at 10:48:10 AM on ‎6/‎11/‎2020 was unexpected."
| rex field=Message "(?i)at\s(?P<shutdown_time>[^\s].+)\son\s(?P<shutdown_date>[^\s]+)"
| rex field=shutdown_date "(?<month>\d{1,2})\/.(?<day>\d{1,2})\/.(?<year>\d{4}).*"
| eval shutdownAt=month + "/" + day + "/" + year +" "+shutdown_time
| eval shutdownepoch=strptime(shutdownAt,"%m/%d/%Y %I:%M:%S %p")
| table Message, shutdown_time, shutdown_date, shutdownAt, shutdownepoch, month, day, year


.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!