Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

regex help, extract time and convert to epoch and show only if epoch time is within 24 hours ago

thaghost99
Path Finder
‎06-19-2024 07:18 AM

hi, i currently have this data and i would like to see if i can extract the date and time and see if it can display the LINE if its within the last 24 hours.

 

example: current time June 19 

result should be:  

drwxrwxrwx 2 root root 4.0K Jun 19 06:05 crashinfo

 

---------------------- DATA START below -----------------------

/opt/var.dp2/cores/:
total 4.0K
drwxrwxrwx 2 root root 4.0K Jun 19 06:05 crashinfo

/opt/var.dp2/cores/crashinfo:
total 0

/var/cores/:
total 8.0K
drwxrwxrwx 2 root root 4.0K May 28 06:05 crashinfo
drwxr-xr-x 2 root root 4.0K May 28 06:05 crashjobs

/var/cores/crashinfo:
total 0

/var/cores/crashjobs:
total 0

/opt/panlogs/cores/:
total 0

/opt/var.cp/cores/:
total 4.0K
drwxr-xr-x 2 root root 4.0K May 28 06:06 crashjobs

/opt/var.cp/cores/crashjobs:
total 0

/opt/var.dp1/cores/:
total 8.0K
drwxrwxrwx 2 root root 4.0K May 28 06:05 crashinfo
drwxr-xr-x 2 root root 4.0K May 28 06:07 crashjobs

/opt/var.dp1/cores/crashinfo:
total 0

/opt/var.dp1/cores/crashjobs:
total 0

/opt/var.dp0/cores/:
total 8.0K
drwxrwxrwx 2 root root 4.0K May 28 06:05 crashinfo
drwxr-xr-x 2 root root 4.0K May 28 06:07 crashjobs

/opt/var.dp0/cores/crashinfo:
total 0

/opt/var.dp0/cores/crashjobs:
total 0

 

---------------------- DATA END above -----------------------

Labels (3)
Labels
Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-19-2024 08:01 AM

Try this

``` Parse the date ```
| rex "\s(?<date>\w{3}\s\d{1,2})\s"
``` Convert the date into epoch form ```
| eval epoch=strptime(date, "%b %d")
``` See if the date falls in the last 24 hours ```
| where epoch > relative_time(now(), "-24h")
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-19-2024 08:01 AM

Try this

``` Parse the date ```
| rex "\s(?<date>\w{3}\s\d{1,2})\s"
``` Convert the date into epoch form ```
| eval epoch=strptime(date, "%b %d")
``` See if the date falls in the last 24 hours ```
| where epoch > relative_time(now(), "-24h")
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

thaghost99
Path Finder
‎06-24-2024 07:40 AM

if it shows no results, how can i make it so that the value of that 'epoch' value = OK versus 'Not Ok'

 

0 Karma
Reply
Solved! Jump to solution

thaghost99
Path Finder
‎06-19-2024 08:38 AM

thank you very much. it works.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-19-2024 07:46 AM

Try something like this

| rex max_match=0 "(?m)^(\S+ ){5}(?<datetimefile>\w+ +\d+\s+\d+:\d+\s+\S+)$"
| mvexpand datetimefile
| eval timestamp=strptime(datetimefile,"%b %d %H:%M")
| where now()-timestamp < 24*60*60
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...