Splunk: How to grab certain section from result in splunk?

Question

I am using this query in splunk search -

index="some_index" | dedup source | sort -source | dedup sourcetype | table sourcetype, source

My result shows like this -

sourcetype                     source
-----------                 --------------

dev_architecture_dev1    /u01/splunk/etc/apps/dev-data/data/dev1/dev1-20150629133045.log
dev_architecture_dev2    /u01/splunk/etc/apps/dev-data/data/dev2/dev2-20150626124438.log

I want to grab only the year, month, day, hour, min and sec right before ".log". e.g. 20150629133045. And then display it like 2015-06-29 13:30:45 in the 'source' column.

Is there a way to do it in Splunk6?

Thanks for looking at the question. Hoping to get some answers.

if you want to do it with splunk, the awk, sed, grep tags are irrelevant. Removing them. — fedorqui, Jul 01 '15 at 08:54

score 0 · Answer 1 · answered Mar 27 '17 at 03:18

0

Capture the data

| rex field=source ".*?(?<dt>\d+)\.log"

Parse into time

| eval dt = strptime(dt, "%Y%m%d%H%M%S")

Format however you need

| eval dt = strftime(dt, "%Y-%m-%d %H:%M:%S")

Output

| table sourcetype source dt

answered Mar 27 '17 at 03:18

Peter McIntyre

122
1
9

Splunk: How to grab certain section from result in splunk?

1 Answers1