Splunk Search

regex help, extract time and convert to epoch and show only if epoch time is within 24 hours ago

thaghost99
Path Finder

hi, i currently have this data and i would like to see if i can extract the date and time and see if it can display the LINE if its within the last 24 hours.

 

example: current time June 19 

result should be:  

drwxrwxrwx 2 root root 4.0K Jun 19 06:05 crashinfo

 

---------------------- DATA START below -----------------------

/opt/var.dp2/cores/:
total 4.0K
drwxrwxrwx 2 root root 4.0K Jun 19 06:05 crashinfo

/opt/var.dp2/cores/crashinfo:
total 0

/var/cores/:
total 8.0K
drwxrwxrwx 2 root root 4.0K May 28 06:05 crashinfo
drwxr-xr-x 2 root root 4.0K May 28 06:05 crashjobs

/var/cores/crashinfo:
total 0

/var/cores/crashjobs:
total 0

/opt/panlogs/cores/:
total 0

/opt/var.cp/cores/:
total 4.0K
drwxr-xr-x 2 root root 4.0K May 28 06:06 crashjobs

/opt/var.cp/cores/crashjobs:
total 0

/opt/var.dp1/cores/:
total 8.0K
drwxrwxrwx 2 root root 4.0K May 28 06:05 crashinfo
drwxr-xr-x 2 root root 4.0K May 28 06:07 crashjobs

/opt/var.dp1/cores/crashinfo:
total 0

/opt/var.dp1/cores/crashjobs:
total 0

/opt/var.dp0/cores/:
total 8.0K
drwxrwxrwx 2 root root 4.0K May 28 06:05 crashinfo
drwxr-xr-x 2 root root 4.0K May 28 06:07 crashjobs

/opt/var.dp0/cores/crashinfo:
total 0

/opt/var.dp0/cores/crashjobs:
total 0

 

---------------------- DATA END above -----------------------

Labels (4)
Tags (4)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try this

``` Parse the date ```
| rex "\s(?<date>\w{3}\s\d{1,2})\s"
``` Convert the date into epoch form ```
| eval epoch=strptime(date, "%b %d")
``` See if the date falls in the last 24 hours ```
| where epoch > relative_time(now(), "-24h")
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Try this

``` Parse the date ```
| rex "\s(?<date>\w{3}\s\d{1,2})\s"
``` Convert the date into epoch form ```
| eval epoch=strptime(date, "%b %d")
``` See if the date falls in the last 24 hours ```
| where epoch > relative_time(now(), "-24h")
---
If this reply helps you, Karma would be appreciated.

thaghost99
Path Finder

if it shows no results, how can i make it so that the value of that 'epoch' value = OK versus 'Not Ok'

 

0 Karma

thaghost99
Path Finder

thank you very much. it works.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| rex max_match=0 "(?m)^(\S+ ){5}(?<datetimefile>\w+ +\d+\s+\d+:\d+\s+\S+)$"
| mvexpand datetimefile
| eval timestamp=strptime(datetimefile,"%b %d %H:%M")
| where now()-timestamp < 24*60*60
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...