Hi I am trying to extract the date and time from the field "message". It gives me everything after the date and time. I don't want the text after the time.
message
PubAck Packet sent to device 1234A and 12345678910FC at 08-21-2017 22:09:48.401.
Publish message received at 08-21-2017 18:50:04.841 for this service.
Required Output
08-21-2017 22:09:48.401
08-21-2017 18:50:04.841
My regex
rex field=message "at(?.+)"
My result
08-21-2017 22:09:48.401.
08-21-2017 18:50:04.841 for this service.
| makeresults | eval message="Publish message received at 08-21-2017 18:50:04.841 for this service." | rex field=message "at\s+(?P<datetime>\S+\s+\S+)"
Hey @sravani27, did either of these solutions work for you?
| makeresults | eval message="Publish message received at 08-21-2017 18:50:04.841 for this service." | rex field=message "at\s+(?P<datetime>\S+\s+\S+)"
Try this. The fieldname will be time
... | rex \sat\s(?<time>\d+\-\d+\-\d+\s\d+:\d+:\d+\.\d+)