Solved: Re: Extract a field using regex and display the ho...

pavanae · ‎08-30-2016

the following were some of the events from the search index=*

2016-08-30 21:04:42,995 INFO hgfshgfj
2016-04-23T20:07:22 jhkjhljlkjhkjh
2016-07-29 22:04:42,975 INFO mhjhgmhbgjh
2016-04-23T20:07:22 jhkjhljlkjhkjh

08/30/2016 09:16:39 PM jkhkj kjhjgjhg
8/30/16 jhghjhgjg

Now I'm trying to list out all the hosts,sources,source types that starts the events WITHOUT the yyyy-mm-dd format i.e; year-month-date format.

for example I want list out all the hosts,sources,source types for the following events

08/30/2016 09:16:39 PM jkhkj kjhjgjhg
8/30/16 jhghjhgjg

justinatpnnl · ‎08-30-2016

You could use the regex command to limit your results to just those events:

index=* | regex _raw!="^\d{4}-\d{2}-\d{2}"

Then you would be able to see which indexes, sources, and sourcetypes are left. From there you could take it a step further and do a stats command on it if you needed.

View solution in original post

justinatpnnl · ‎08-30-2016

You could use the regex command to limit your results to just those events:

index=* | regex _raw!="^\d{4}-\d{2}-\d{2}"

Then you would be able to see which indexes, sources, and sourcetypes are left. From there you could take it a step further and do a stats command on it if you needed.

pavanae · ‎08-30-2016

wanna exclude the below format too

[2016-08-20 21:39:56,829]

so modification needs to be done for the question?

justinatpnnl · ‎08-30-2016

So the difference being the brackets? Slight modification:

index=* | regex _raw!="^\[?\d{4}-\d{2}-\d{2}"

Extract a field using regex and display the hosts,sourcetype,index that contains that field?

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!