hi, i currently have this data and i would like to see if i can extract the date and time and see if it can display the LINE if its within the last 24 hours.
example: current time June 19
result should be:
drwxrwxrwx 2 root root 4.0K Jun 19 06:05 crashinfo
---------------------- DATA START below -----------------------
/opt/var.dp2/cores/:
total 4.0K
drwxrwxrwx 2 root root 4.0K Jun 19 06:05 crashinfo
/opt/var.dp2/cores/crashinfo:
total 0
/var/cores/:
total 8.0K
drwxrwxrwx 2 root root 4.0K May 28 06:05 crashinfo
drwxr-xr-x 2 root root 4.0K May 28 06:05 crashjobs
/var/cores/crashinfo:
total 0
/var/cores/crashjobs:
total 0
/opt/panlogs/cores/:
total 0
/opt/var.cp/cores/:
total 4.0K
drwxr-xr-x 2 root root 4.0K May 28 06:06 crashjobs
/opt/var.cp/cores/crashjobs:
total 0
/opt/var.dp1/cores/:
total 8.0K
drwxrwxrwx 2 root root 4.0K May 28 06:05 crashinfo
drwxr-xr-x 2 root root 4.0K May 28 06:07 crashjobs
/opt/var.dp1/cores/crashinfo:
total 0
/opt/var.dp1/cores/crashjobs:
total 0
/opt/var.dp0/cores/:
total 8.0K
drwxrwxrwx 2 root root 4.0K May 28 06:05 crashinfo
drwxr-xr-x 2 root root 4.0K May 28 06:07 crashjobs
/opt/var.dp0/cores/crashinfo:
total 0
/opt/var.dp0/cores/crashjobs:
total 0
---------------------- DATA END above -----------------------
Try this
``` Parse the date ```
| rex "\s(?<date>\w{3}\s\d{1,2})\s"
``` Convert the date into epoch form ```
| eval epoch=strptime(date, "%b %d")
``` See if the date falls in the last 24 hours ```
| where epoch > relative_time(now(), "-24h")
Try this
``` Parse the date ```
| rex "\s(?<date>\w{3}\s\d{1,2})\s"
``` Convert the date into epoch form ```
| eval epoch=strptime(date, "%b %d")
``` See if the date falls in the last 24 hours ```
| where epoch > relative_time(now(), "-24h")
if it shows no results, how can i make it so that the value of that 'epoch' value = OK versus 'Not Ok'
thank you very much. it works.
Try something like this
| rex max_match=0 "(?m)^(\S+ ){5}(?<datetimefile>\w+ +\d+\s+\d+:\d+\s+\S+)$"
| mvexpand datetimefile
| eval timestamp=strptime(datetimefile,"%b %d %H:%M")
| where now()-timestamp < 24*60*60