Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my current regex not extracting date and time fields from my log data?

mhng
New Member
‎04-21-2015 01:28 AM

Hi All

I have a log file which contain some information that I need. I would like to extract the date_time which I highlighted as bold.
29/03/2014 15:39:56,CALL_FAILED,VOICE,+6111223344,tel:+6133445566,29/03/2014 14:04:33

I tried to use this command, but it doesn't work for me. Any advise?

  My_base_search | rex field=_raw "(?<end>\d+\.\d+\.\d+\s\d+\.\d+\.\d+),\w*,\w*,\.\d*,\w*\.\.\d+,(?<begin>\d+\.\d+\.\d+\.\d+\s\d+\.\d+\.\d+)" | eval "Begin"=begin | eval "End"=end | table "Begin", "End"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎04-21-2015 01:43 AM

Your regex contains . characters ("backslash dot" is evaluated to a literal .) which are not in your search term; you have forward slashes however. This should work:

(?<end>\d+\/\d+\/\d+\s\d+\:\d+\:\d+),.*,(?<begin>\d+\/\d+\/\d+\s\d+\:\d+\:\d+)

Always try your regular expressions online, for example at regex101. It helps a lot as you always see exactly what happens.

View solution in original post

Reply
Solved! Jump to solution

stephanefotso
Motivator
‎04-21-2015 01:47 AM

here is my proposition

........| rex field=_raw "^(?P<end>[^,]+)[^:\n]*:\+\d+,(?P<begin>.+)"|table  begin end
SGF
Reply
Solved! Jump to solution

mhng
New Member
‎04-21-2015 05:58 AM

Thanks, your solution is working for me toooooo!

0 Karma
Reply
Solved! Jump to solution

stephane_cyrill
Builder
‎04-21-2015 01:44 AM

answers.splunk.com/answers/231450/regex-i-want-to-match-a-string-and-then-extract-th.html#answer-231454

0 Karma
Reply
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎04-21-2015 01:43 AM

Your regex contains . characters ("backslash dot" is evaluated to a literal .) which are not in your search term; you have forward slashes however. This should work:

(?<end>\d+\/\d+\/\d+\s\d+\:\d+\:\d+),.*,(?<begin>\d+\/\d+\/\d+\s\d+\:\d+\:\d+)

Always try your regular expressions online, for example at regex101. It helps a lot as you always see exactly what happens.

Reply
Solved! Jump to solution

mhng
New Member
‎04-21-2015 05:58 AM

Thanks, for sharing this answer and the regex101 is awesome!

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎04-21-2015 11:57 AM

Hi @mhng

If you're interested in other regex tools, check out this previous Splunk Answers post where different users shared their favorite online (and 1 offline) regex resources.
http://answers.splunk.com/answers/153171/is-there-any-online-regex-tool-to-create-regular-e.html

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...