Highlighted
alexandru.stoch Absent Member.
Absent Member.
1119 views

Various time and date formats in regex flexconnector

Jump to solution

Hi again,

Hi,

Lately I've been configured a lot of flexconnectors. And with your help I managed to accomplish all the tasks. But now, I have another challenge for you.

I have the next file with the following logs:

$/admin
Version: 10
User: User           Date:  2/01/11 Time:  1:38p
name_file.txt added
Comment: teste log acces
$/path_name
Version: 348
User: User         Date: 2.02.11  Time: 10:47a
1.pdf renamed to 2.pdf
$/path_name/name.fmb
Version: 9
User: User1       Date:  2.02.11  Time:  11:57
Checked in
$/path_name/name01.fmb
Version: 8
User: User2      Date:  7-02-11  Time:  15:16
Checked in
As you can see, the date and time have multiple patterns, i think they are user workstation configuration based so is not set from the logging source. Any way i need to parse this file and i think i can do it with submessages. More then that i found that i can only use the default submessage form with multiple patterns because i don't have event id's.
I've attached 2 configs. One is working only for the 3rd event and one is what i tried to do regarding the submessage approach for first event type.
Can you help me please?
Best regards.
Labels (3)
0 Likes
1 Solution

Accepted Solutions
alexandru.stoch Absent Member.
Absent Member.

Re: Various time and date formats in regex flexconnector

Jump to solution

Hi all,

Yes, I've managed to solve this. Maybe someone else needs the solution for this.

The actual parsing is the following:

event.endTime=__oneOfDateTime(___safeToDate(__concatenate(Date,Time),"d/MM/yyK:mma"),__safeToDate(__concatenate(Date,Time),"d.MM.yyK:mma"),__safeToDate(__concatenate(Date,Time),"d-MM-yyHH:mm"))

Thanks all.

0 Likes
6 Replies
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: Various time and date formats in regex flexconnector

Jump to solution

Hai Alexandru Stochitoiu,

Try this out Regex= (18|19|20)\d\d+([-\s/.])+(0[1-9]|1[12])+([-\s/.])+([0-9]|1[1-9]|2[1-9]|3[01])+

0 Likes
alexandru.stoch Absent Member.
Absent Member.

Re: Various time and date formats in regex flexconnector

Jump to solution

Hi Balahasan,

Not the parsing is the problem, but the mapping into a time field in ArcSight. Because I have many types of time formats, i didn't find a way to map it correctly (set a propers date format) into ArcSight. So for this kind of events i can't order them after a time parameter.

Kind regards.

0 Likes
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: Various time and date formats in regex flexconnector

Jump to solution

Hi Alexandru Stochitoiu,

That is surely a long Time Ago.

I Think you can Use the Date Format Option with Default Zone Mappings to make all Time Fields to CEF Format.I can give the Exact Config File But Our Test Environment is down for past 2 Months...

Ex:

token[0].name=date-time

token[0].type=TimeStamp

token[0].format=MMM dd HH:mm:ss Z                    (Z for Time Zone Mapping)...

Like wise if you go through the Flex Guide for other Time Token Format u will find what you want I guess.

Please Revert if the Problem Persists.

Thanks and Regards,

Balahasan.V

0 Likes
alexandru.stoch Absent Member.
Absent Member.

Re: Various time and date formats in regex flexconnector

Jump to solution

Hi again,

keep in mind that the time is given in two types. How should i set the type of the date-time to include both types (17:30 and 1:30 a)?

thanks.

0 Likes
habex3791 Trusted Contributor.
Trusted Contributor.

Re: Various time and date formats in regex flexconnector

Jump to solution

Hi Alexandru,

I think you managed to solve this years ago. But if not...

...imho you could use token alternation, like ((token1)|(token2)) with the according regex inside and address both tokens like endTime=__oneOfDateTime(token1,token2).

Regards,

H.

0 Likes
alexandru.stoch Absent Member.
Absent Member.

Re: Various time and date formats in regex flexconnector

Jump to solution

Hi all,

Yes, I've managed to solve this. Maybe someone else needs the solution for this.

The actual parsing is the following:

event.endTime=__oneOfDateTime(___safeToDate(__concatenate(Date,Time),"d/MM/yyK:mma"),__safeToDate(__concatenate(Date,Time),"d.MM.yyK:mma"),__safeToDate(__concatenate(Date,Time),"d-MM-yyHH:mm"))

Thanks all.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.