Reputation: 1508
Splunk: Extract string and convert it to date format
I have such events:
something;<id>abc123<timeStamp>2021-12-10T23:10:12.044Z<timeStamp>2021-12-10T23:08:55.278Z>
I want to extract the Id abc123 and the two timeStamps.
index = something
|rex field=_raw "id>(?<Id>[0-9a-z-]+)"
|rex "timeStamp>(?<timeStamp>[T0-9-\.:Z]+)"
| table _time Id timeStamp
This works with the query above. But what I struggle now is to convert the timeStamp-string to date format to get at the end the min(timeStamp) extracted in order to compute the difference between the event's _time and the min(timeStamp) by the id field. I am struggling because of the special format of the timestamp with T and Z included in it.
Upvotes: 0
Views: 4271
Answers (2)
Reputation: 9916
There's nothing special about those timestamps - they're in standard form. Use the strptime function to convert them.
index = something
|rex field=_raw "id>(?<Id>[^\<]+)"
|rex "timeStamp>(?<timeStamp>[^\<]+)"
| eval ts = strptime(timeStamp, "%Y-%m-%dT%H:%M:%S.%3N%Z")
| eval diff = ts - _time
| table _time Id timeStamp diff
Upvotes: 2
Reputation: 33435
Check out strftime.org, and the related strptime function used with eval
Something on the order of this (pulled the microseconds out of your rex, since Unix epoch time has no concept of subsecond intervals):
| rex field=_raw "timeStamp\>(?<timeStamp>[^\.]+)\.\d+Z"
| eval unixepoch=strptime(timeStamp,"%Y-%m-%dT%H:%M:%S")
Upvotes: 1
Related Questions
- Extract data from splunk
- manipulate string in splunk
- Using Splunk rex to extract String from logs
- Splunk extract a value from string which begins with a particular value
- How to parse information from a log message in splunk
- Splunk convert Wed Sep 23 08:00:00 PDT 2020 to _time and epoch time in splunk
- Splunk - regex extract fields from source
- How to extract data from the String in splunk?
- Splunk Custom Log format Parsing
- Need to extract and re-format with RegEx