Solved: Can I create a substring from this string with two...

kdimaria · ‎08-30-2017

I was just looking up the eval substr function in splunk and was wondering if it is possible to get a substring from 0 to a character. basically I have a field that contains two times with a message:

Message= hello 8/30/2017 01:32:00 GMT goodbye 8/30/2017 01:33:00 GMT

I basically want to get a substring and grab from the beginning to GMT and set it into a new field Message1 then grab the rest in another substring and put that into message two.
Message1= hello 8/30/2017 01:32:00 GMT
Message2= goodbye 8/30/2017 01:33:00 GMT

cpetterborg · ‎08-30-2017

Try something like:

|  makeresults 
|  eval _raw="Message= hello 8/30/2017 01:32:00 GMT goodbye 8/30/2017 01:33:00 GMT"
|  rex "Message= (?P<Message1>.*?GMT)\s(?P<Message2>.*)"

View solution in original post

cpetterborg · ‎08-30-2017

If you don't mind a multivalve field:

| makeresults 
|  eval _raw="Message= hello 8/30/2017 01:32:00 GMT goodbye 8/30/2017 01:33:00 GMT foo 8/30/2017 01:32:00 GMT bar 8/30/2017 01:33:00 GMT"
|  rex "Message= (?P<message>.*)" | rex field=message max_match=0 "(?P<Messages>.*?GMT)"

woodcock · ‎08-30-2017

Then you can add this:

| eval Message1=mvindex(message, 0)
| eval Message2=mvindex(message, 1)
| eval Message3=mvindex(message, 2)
| eval Message4=mvindex(message, 3)
| eval Message5=mvindex(message, 4)

cpetterborg · ‎08-30-2017

Try something like:

|  makeresults 
|  eval _raw="Message= hello 8/30/2017 01:32:00 GMT goodbye 8/30/2017 01:33:00 GMT"
|  rex "Message= (?P<Message1>.*?GMT)\s(?P<Message2>.*)"

kdimaria · ‎08-30-2017

@cpetterborg I basically just want to split whenever I see "GMT" and put it into a new field

kdimaria · ‎08-30-2017

@cpetterborg Also there is the possibility of there being more than 2 messages with time stamps.

kdimaria · ‎08-30-2017

@cpetterborg There are multiple different events though that have different messages like this in a "Notes" field. will the rex command still work if I just did:

| makeresults | then the rex command you have?

niketn · ‎08-30-2017

@kdimaria, if your current field is Notes, you can use just the rex command on that field

 <YourBaseSearch>
| rex field=Notes "Message= (?P<Message1>.*?GMT)\s(?P<Message2>.*)"

In case you dont know the field name you can directly apply on _raw data

 <YourBaseSearch>
|  rex field=_raw "Message= (?P<Message1>.*?GMT)\s(?P<Message2>.*)"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

kdimaria · ‎08-30-2017

@niketnilay Thank you, I think this will work but now I just remembered that theres a possibility of there being more than two messages so I don't know how I would account for that and might have to approach this problem differently.

niketn · ‎08-30-2017

@kdimaria, if possible please add some samples.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

kdimaria · ‎08-30-2017

actually I don't think that'd work

Can I create a substring from this string with two timestamps?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...