Splunk Search

How to remove a few characters at the beginning of a field?

pench2k19
Explorer

Hi Team,

I have the following field values and i want extract only the highlighted values from it.

utility_extract10_DELTA_708**2019-03-12 06:03:33**
utility_extract1_DELTA_708**2019-03-12 06:06:27**

Can you please give me a solution to this?

Tags (1)
0 Karma

nickhills
Ultra Champion

hi @pench2k19

   |rex  "\*?(?P<my_time>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\*?" max_match=0

This will give you a new field called 'my_time' with just your extracted date.

This should work, given your source data: see https://regex101.com/r/hZQsA9/2

If my comment helps, please give it a thumbs up!
0 Karma

Vijeta
Influencer

@pench2k19 You can use the below rex command , suppose your field name is x

 <your query>|rex field=x "_\d+.*(?P<date>\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2})"
0 Karma

pench2k19
Explorer

no luck with this as well.

as i said in my previous comments i have 22 values like the follwoing in one field

utility_extract10_DELTA_7082019-03-12 06:03:33
utility_extract10_DELTA_9362019-03-12 06:07:00
utility_extract11_DELTA_7082019-03-12 06:08:17
utility_extract11_DELTA_9362019-03-12 06:07:35
utility_extract12_DELTA_7082019-03-12 06:08:39
utility_extract13_DELTA_7082019-03-12 06:08:40
utility_extract13_DELTA_9362019-03-12 06:10:21
utility_extract14_DELTA_7082019-03-12 06:09:52
utility_extract1_DELTA_7082019-03-12 06:06:27
utility_extract1_DELTA_9362019-03-12 06:06:51

but after i apply above regex it is giving me only 20 values result in the output, 2 values are missing

0 Karma

pench2k19
Explorer

no luck..its still missing 2 values before and after we apply rex expression

0 Karma

Vijeta
Influencer

@pench2k19 Are you sure, I tried the below query and it resulted in appropriate date/time value in date field.

|makeresults|eval x="utility_extract10_DELTA_708*2019-03-12 06:03:33"| appendpipe[|eval x="utility_extract1_DELTA_7082019-03-12 06:06:27*"]|rex field=x "_\d+.*(?P<date>\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2})"
0 Karma

vnravikumar
Champion

Hi

Try like

yourquery|rex field=msg "_\d{3}(?P<date>\d{4}.+)"

or

yourquery|rex field=msg "\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}$"
0 Karma

pench2k19
Explorer

no this is not working for all the values...i have 22 values for msg field before apply this rex, but after i apply its showing only 20 values...for 2 values the regex is not appropriate..

Posting here few more values from that value

utility_extract10_DELTA_7082019-03-12 06:03:33
utility_extract10_DELTA_9362019-03-12 06:07:00
utility_extract11_DELTA_7082019-03-12 06:08:17
utility_extract11_DELTA_9362019-03-12 06:07:35
utility_extract12_DELTA_7082019-03-12 06:08:39
utility_extract13_DELTA_7082019-03-12 06:08:40
utility_extract13_DELTA_9362019-03-12 06:10:21
utility_extract14_DELTA_7082019-03-12 06:09:52
utility_extract1_DELTA_7082019-03-12 06:06:27
utility_extract1_DELTA_9362019-03-12 06:06:51

i just neeed to extract the date and time from that field

0 Karma

vnravikumar
Champion

If possible can you please post that two msg that was missing

0 Karma

vnravikumar
Champion

try this rex _.+(?P<date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})

0 Karma

vnravikumar
Champion

Have you tried?

0 Karma

vnravikumar
Champion

Can you specify the required text

0 Karma

pench2k19
Explorer

2019-03-12 06:03:33
2019-03-12 06:06:27

0 Karma

pench2k19
Explorer

actual field values are like below

utility_extract10_DELTA_7082019-03-12 06:03:33
utility_extract1_DELTA_7082019-03-12 06:06:27

i want to extract

2019-03-12 06:03:33
2019-03-12 06:06:27 respectively

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...