How to remove a few characters at the beginning of...

pench2k19 · ‎03-12-2019

Hi Team,

I have the following field values and i want extract only the highlighted values from it.

utility_extract10_DELTA_708**2019-03-12 06:03:33**
utility_extract1_DELTA_708**2019-03-12 06:06:27**

Can you please give me a solution to this?

nickhills · ‎03-12-2019

hi @pench2k19

   |rex  "\*?(?P<my_time>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\*?" max_match=0

This will give you a new field called 'my_time' with just your extracted date.

This should work, given your source data: see https://regex101.com/r/hZQsA9/2

If my comment helps, please give it a thumbs up!

Vijeta · ‎03-12-2019

@pench2k19 You can use the below rex command , suppose your field name is x

 <your query>|rex field=x "_\d+.*(?P<date>\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2})"

pench2k19 · ‎03-12-2019

no luck with this as well.

as i said in my previous comments i have 22 values like the follwoing in one field

utility_extract10_DELTA_7082019-03-12 06:03:33
utility_extract10_DELTA_9362019-03-12 06:07:00
utility_extract11_DELTA_7082019-03-12 06:08:17
utility_extract11_DELTA_9362019-03-12 06:07:35
utility_extract12_DELTA_7082019-03-12 06:08:39
utility_extract13_DELTA_7082019-03-12 06:08:40
utility_extract13_DELTA_9362019-03-12 06:10:21
utility_extract14_DELTA_7082019-03-12 06:09:52
utility_extract1_DELTA_7082019-03-12 06:06:27
utility_extract1_DELTA_9362019-03-12 06:06:51

but after i apply above regex it is giving me only 20 values result in the output, 2 values are missing

pench2k19 · ‎03-12-2019

no luck..its still missing 2 values before and after we apply rex expression

Vijeta · ‎03-12-2019

@pench2k19 Are you sure, I tried the below query and it resulted in appropriate date/time value in date field.

|makeresults|eval x="utility_extract10_DELTA_708*2019-03-12 06:03:33"| appendpipe[|eval x="utility_extract1_DELTA_7082019-03-12 06:06:27*"]|rex field=x "_\d+.*(?P<date>\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2})"

vnravikumar · ‎03-12-2019

Hi

Try like

yourquery|rex field=msg "_\d{3}(?P<date>\d{4}.+)"

or

yourquery|rex field=msg "\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}$"

pench2k19 · ‎03-12-2019

no this is not working for all the values...i have 22 values for msg field before apply this rex, but after i apply its showing only 20 values...for 2 values the regex is not appropriate..

Posting here few more values from that value

utility_extract10_DELTA_7082019-03-12 06:03:33
utility_extract10_DELTA_9362019-03-12 06:07:00
utility_extract11_DELTA_7082019-03-12 06:08:17
utility_extract11_DELTA_9362019-03-12 06:07:35
utility_extract12_DELTA_7082019-03-12 06:08:39
utility_extract13_DELTA_7082019-03-12 06:08:40
utility_extract13_DELTA_9362019-03-12 06:10:21
utility_extract14_DELTA_7082019-03-12 06:09:52
utility_extract1_DELTA_7082019-03-12 06:06:27
utility_extract1_DELTA_9362019-03-12 06:06:51

i just neeed to extract the date and time from that field

vnravikumar · ‎03-12-2019

If possible can you please post that two msg that was missing

vnravikumar · ‎03-12-2019

try this rex _.+(?P<date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})

vnravikumar · ‎03-12-2019

Have you tried?

vnravikumar · ‎03-12-2019

Can you specify the required text

pench2k19 · ‎03-12-2019

2019-03-12 06:03:33
2019-03-12 06:06:27

pench2k19 · ‎03-12-2019

actual field values are like below

utility_extract10_DELTA_7082019-03-12 06:03:33
utility_extract1_DELTA_7082019-03-12 06:06:27

i want to extract

2019-03-12 06:03:33
2019-03-12 06:06:27 respectively

How to remove a few characters at the beginning of a field?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM