bullet points in date value and can't strptime()

smahoney · ‎06-11-2020

For some reason there are invisible bullet points being extracted from the windows event message and I cant seem to be able to remove them to use it as a time.

The date gets extracted as the image below and prevents me from using it as a dateTime. How do you strip those out?

The previous system shutdown at 10:48:10 AM on ‎6/‎11/‎2020 was unexpected.

| rex field=Message "(?i)at\s(?P<shutdown_time>[^\s].+)\son\s(?P<shutdown_date>[^\s]+)"
| eval shutdownAt=shutdown_date+" "+shutdown_time
| eval shutdownepoch=strptime(shutdownAt,"%e/%d/%Y %I:%M:%S %p")

This is unable to to assign shutdownepoch

ChrisH · ‎06-11-2020

Doing an extra rex on the date field to split out the date parts should work. I tested it using the following SPL and it appeared to work.

| makeresults
| eval Message="The previous system shutdown at 10:48:10 AM on <u+200e>6/<u+200e>11/<u+200e>2020 was unexpected."
| rex field=Message "(?i)at\s(?P<lt;keresults
| eval Mshutdown_time
| eval Message="The >gt;down_time
| eval M[^\s].+)\son\s(?Pval Message="The prev<lt;].+)\son\s(?Pval Mshutdown_dates(?Pval Message="The >gt;down_dates(?Pval M[^\s]+)"
| rex field=shutdown_date "(?ious system shutdown <lt;]+)"
| rex field=smonth+)"
| rex field=shutd>gt;h+)"
| rex field=s\d{1,2})\/.(?x field=shutdown_date<lt;,2})\/.(?x field=sday;,2})\/.(?x field=shu>gt;,2})\/.(?x field=s\d{1,2})\/.(?x field=shutdown_date<lt;,2})\/.(?x field=syear,2})\/.(?x field=shut>gt;,2})\/.(?x field=s\d{4}).*"
| eval shutdownAt=month + "/" + day + "/" + year +" "+shutdown_time
| eval shutdownepoch=strptime(shutdownAt,"%m/%d/%Y %I:%M:%S %p")
| table Message, shutdown_time, shutdown_date, shutdownAt, shutdownepoch, month, day, year

bullet points in date value and can't strptime()

field extraction

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!