Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a string from an event?

owie6466
Explorer
‎08-07-2019 12:30 PM

Hello, I am very new to Splunk and I would like some help in doing this.

I need to extract from this field:
Event
1 hour ago, vmpit-p4cti002.lm.lmig.com, windows 6.3.9600.

and then check if it is less > 4 hours

I've been going through some answers and I, unfortunately, can't find the right one.

Thank you so much for any assistance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎08-07-2019 12:51 PM

Try:

| rex "(?<Time>\d{1,2})\s+hour\s+ago" | where Time < 4

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎08-07-2019 12:51 PM

Try:

| rex "(?<Time>\d{1,2})\s+hour\s+ago" | where Time < 4
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-07-2019 12:55 PM

I offer a slight modification to allow for "2 hours ago".

| rex "(?<Time>\d{1,2})\s+hours?\s+ago" | where Time < 4

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

owie6466
Explorer
‎08-07-2019 01:25 PM

thank you so much mayurr98 and richgalloway. i will try the code.

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...