0

Trying to capture the timestamp in this log event (for Splunk)

172.21.201.135 | http | o@1I0BTOx1063x3667295x0 | hkv | 2020-06-10 17:43:18,951 | "POST /rest/build-status/latest/commits/stats HTTP/1.1" | "http://bitbucket.my.com/projects/WF/repos/klp-libs/compare/commits" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36" | 200 | 345 | 431 | - | 5 | 3dk4qm |

When set, Splunk software uses the specified regular expression to looks for a match before attempting to extract a timestamp. 

    TIME_PREFIX = <regular expression>

But not yet been able to create a regex that matches on the fourth '|' in the log event above.

rhellem
  • 769
  • 1
  • 11
  • 26
  • Not a total newbie when it comes to regex, and I have spent about an hour on Google and https://regex101.com/ - found a lot of hints, but I have not been able to master this particular issue – rhellem Jun 10 '20 at 16:20
  • Sure, so share something that you think is what should work for us to see where the problem is. – Wiktor Stribiżew Jun 10 '20 at 16:30
  • https://stackoverflow.com/questions/62309003/regex-match-the-nth-number-of-char-then-stop-non-greedy – rhellem Jun 10 '20 at 16:56
  • You could just update this one. No need to repost the same questions. – Wiktor Stribiżew Jun 10 '20 at 16:59
  • Sorry about that, I did hoover "reopen" and it shows "vote to reopen" ...so I gave up before trying...but, since I do have the regex now, the question is changed to how to make it non-greedy (hoping that it is the correct terminology...) – rhellem Jun 10 '20 at 17:06

0 Answers0