Here's the test search that I was using:
| makeresults
| eval fieldtestudp="Jul 1 19:58:45 filterlog: 67,,,1509205722,igb1,match,pass,in,4,0x0,,64,43017,0,none,17,udp,56,192.168.X.X,X.X.X.X,56393,53,36"
| rex mode=sed field=fieldtestudp "s/^(\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s)+\S+.\S+\s+/\1/g"
| table fieldtestudp
The result I got was this:
Jul 1 19:58:45 67,,,1509205722,igb1,match,pass,in,4,0x0,,64,43017,0,none,17,udp,56,192.168.X.X,X.X.X.X,56393,53,36
Which seems correct to me... The SEDCMD says:
s/^(\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s)+\S+.\S+\s+/\1/g
s/ => substitute.
^ => from the start
( => capture into buffer 1
\w{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s -> the time stamp
) => end capture.
\S+.\S+\s+ => <at least 1 non-white space> <any char><at least 1 non-whitespace><at least 1 space>
/ => substitute with
\1 => the contents of buffer 1.. (the time stamp)
/g => (globally)
In a nutshell it says...
s/Jul 1 19:58:45 filterlog:/Jul 1 19:58:45/g
I'd think that there'd be an easier way to get that done, but there ya go.
Maybe if you play around with my search it'll help you a bit.
Hope that helps.
... View more