Hi, I am working with some legacy logs that have spaces in timestamps, e.g.
2012-07-12 06:00:05: 9 -07:00
2012-07-12 06:00:06:259 -07:00
2012-07-12 06:01:05: 45 -07:00
is there a way for splunk to extract the timestamps as '2012-07-12 06:00:05: 9 -07:00' etc?
Thanks!
Yes, the slashes are needed, I did not notice that they got dropped when I pasted in my code sample. Something I still goof up on now and again on this site. It should work with the slashes included, I tested it and it worked for me just fine.
Use this to create a field extraction. Test it first as follows:
sourcetype={your_sourcetype} | rex fields=_raw "(?P<eventDateTime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}:\s*(\d+))"
Then copy the code between the double-quote marks into the regex in Field Extractions to save it for your App.
hi, it doesnt work. also, dont we need slash \ in front of 'd' and 's' ?
Hi, rgcurry,
Thanks, so i will put this into the regex ? (not the timestamp strftime format)
Thanks again!
Try this:
\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}:\s*(\d+)\s-\d{2}:\d{2}