Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to remove the dynamic date and time from the incoming raw data and get the count

aaa2324
Explorer
‎04-30-2021 03:59 AM

How to compare the incoming data with dynamic date and time with the lookup table, example

i have incoming data in below format where the date and time keeps changing for every new entry

*abc -04/30 08:14:07 - c

*abc -04/30 08:03:20 -c

*abc -04/29 07:06:22 -c

and so on, I have to consolidate all the above data excluding the date and time and need to count how many times it is occurring. In my lookup table I have the same data in below format.

*abc -mm/dd hh:mm:ss -c

*abc -mm/dd hh:mm:ss-c

is there a way to get the desired results. ? Kindly advise 

Labels (2)
Labels
0 Karma
Reply

aaa2324
Explorer
‎05-02-2021 10:06 PM

Thanks how to change the script if there is comma in the middle

*abc -04/30, 08:14:07 - c

0 Karma
Reply

manjunathmeti
Champion
‎05-03-2021 10:05 PM

You add comma in the regex.

| rex mode=sed "s/\d{2}\/\d{2},?\s\d{2}:\d{2}:\d{2}//g"
0 Karma
Reply

manjunathmeti
Champion
‎04-30-2021 05:01 AM

You can use rex to remove the date time in the raw data.

| rex mode=sed "s/\d{2}\/\d{2}\s\d{2}:\d{2}:\d{2}//g"
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...