I have a text string field in my events which contains one or many date/time stamps within the string. The string is comma separated with a leading comma at the beginning of the string and no trailing comma at the end.
Example String:
,05-NOV-19 10.24.36.309000 PM AMERICA/CHICAGO,08-NOV-19 12.30.05.471000 PM AMERICA/CHICAGO,08-NOV-19 12.32.28.525000 PM AMERICA/CHICAGO
I need help writing a regex/rex statement that will break this string and return only the first date/time stamp as emboldened above.
Any help is appreciated.
Like this:
... | rex field=ExistingFieldMaybe_raw "[,\s]+(?<MyCaptureFieldName>[^,]+)"
Hi,
While using split I am facing an issue, in my events I have null values for a filed sometimes.
for sexample -
f1,f2,f3,f4,f5 - this works perfectly
but below data with missing values in few fields giving issues.
f1,f2,,,f5
split commands suggests f5 is f4
Can this be handled ?
Thanks in advance!!!
Like this:
... | rex field=ExistingFieldMaybe_raw "[,\s]+(?<MyCaptureFieldName>[^,]+)"
@woodcock...Thank you for the response. This did work to extract the value I am looking for.
You just need the first in the list, use max_match=1
| rex field=<your field> max_match=1 ",(?<first_field>[^,]+)"
@arjunpkishore5...Thank you for the response. This did work to extract the value I am looking for.
Hi , I have this regular expression - [^"\n]"\w+\s+(?P[^"]+)
but when I try to do | rex field =_raw "[^"\n]"\w+\s+(?P[^"]+)" it doesn't work
You don't have to use rex
. Another way to do it is to use split
to break the field at commas then use mvindex
to grab the second value.
... | eval foo=mvindex(split(_raw, ","), 1)
Indeed, I didn't think to solve it with split 🙂
In this case split vs regex:
"Too easy - let's muddle it up some..."
@richgalloway...Thank you for the response. This did work to extract the value I am looking for.
@mdurdel, If your problem is resolved, please accept an answer to help future readers.
Hi,
Try this
|rex field=_raw \,(?P<Date>[^\s]+) (?P<Time>[^\s]+) | table Date Time
Regards,
Anantha.