<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Extract date from the Splunk log in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-the-Splunk-log/m-p/383696#M69075</link>
    <description>&lt;P&gt;@FrankVI they are seperate events, I need to get it by order basis like the first occured startdate with first occured enddate , second occured startdate with second occured enddate,... and so on.Can you please suggest what else I can do?&lt;/P&gt;</description>
    <pubDate>Mon, 07 May 2018 09:34:21 GMT</pubDate>
    <dc:creator>karthi25</dc:creator>
    <dc:date>2018-05-07T09:34:21Z</dc:date>
    <item>
      <title>Extract date from the Splunk log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-the-Splunk-log/m-p/383694#M69073</link>
      <description>&lt;P&gt;I have splunk log which looks like below:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;||pool-2-thread-1|| INFO  com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ORDER_JOB: SUCCESSFULLY COMPLETED at END_TIME: 2018-05-07T06:05:17.475Z

||pool-2-thread-1|| INFO  com.tmobile.sfdc.reports.batch.listener.OpportunityJobListener - OPPORTUNITY_JOB: ACTIVE at START_TIME: 2018-05-07T06:04:44.981Z

||pool-2-thread-1|| INFO  com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ORDER_JOB: SUCCESSFULLY COMPLETED at END_TIME: 2018-05-09T07:10:17.475Z

||pool-2-thread-1|| INFO  com.tmobile.sfdc.reports.batch.listener.OpportunityJobListener - OPPORTUNITY_JOB: ACTIVE at START_TIME: 2018-05-09T07:08:44.981Z
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I want to get the start date and end date from the log. So, My output would be like:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;START_DATE                                                          END_DATE
---------------------------------------------------------------------------------
2018-05-09T07:08:44.981Z                    2018-05-09T07:10:17.475Z
2018-05-07T06:04:44.981Z                    2018-05-07T06:05:17.475Z
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I have tried the below query , but its return nothing:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;base search| rex field=_raw "ACTIVE at START_TIME:\[(?[^ ]+)"| rex field=_raw "SUCCESSFULLY COMPLETED at END_TIME:\[(?[^ ]+)"|table START_DATE,END_DATE
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;can anyone please suggest me the solution and what am doing wrong here.&lt;/P&gt;</description>
      <pubDate>Mon, 07 May 2018 09:18:38 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-the-Splunk-log/m-p/383694#M69073</guid>
      <dc:creator>karthi25</dc:creator>
      <dc:date>2018-05-07T09:18:38Z</dc:date>
    </item>
    <item>
      <title>Re: Extract date from the Splunk log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-the-Splunk-log/m-p/383695#M69074</link>
      <description>&lt;P&gt;Your regex seems wrong. What is that &lt;CODE&gt;\[&lt;/CODE&gt; doing in there? There is no &lt;CODE&gt;[&lt;/CODE&gt; in your log on that position. There is a space after the &lt;CODE&gt;:&lt;/CODE&gt; though, which you are not matching.&lt;/P&gt;

&lt;P&gt;So should be (also adding field names to the capture groups):&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;base search| rex field=_raw "ACTIVE at START_TIME:\s+(?&amp;lt;START_DATE&amp;gt;[^\s]+)"| rex field=_raw "SUCCESSFULLY COMPLETED at END_TIME:\s+(?&amp;lt;END_DATE&amp;gt;[^\s]+)"|table START_DATE,END_DATE
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;PS: are those start and end logs separate events? Then you might first need to combine these somehow, to actually get start and end date on a single line in your results.&lt;/P&gt;</description>
      <pubDate>Mon, 07 May 2018 09:27:35 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-the-Splunk-log/m-p/383695#M69074</guid>
      <dc:creator>FrankVl</dc:creator>
      <dc:date>2018-05-07T09:27:35Z</dc:date>
    </item>
    <item>
      <title>Re: Extract date from the Splunk log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-the-Splunk-log/m-p/383696#M69075</link>
      <description>&lt;P&gt;@FrankVI they are seperate events, I need to get it by order basis like the first occured startdate with first occured enddate , second occured startdate with second occured enddate,... and so on.Can you please suggest what else I can do?&lt;/P&gt;</description>
      <pubDate>Mon, 07 May 2018 09:34:21 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-the-Splunk-log/m-p/383696#M69075</guid>
      <dc:creator>karthi25</dc:creator>
      <dc:date>2018-05-07T09:34:21Z</dc:date>
    </item>
    <item>
      <title>Re: Extract date from the Splunk log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-the-Splunk-log/m-p/383697#M69076</link>
      <description>&lt;P&gt;I guess there are a couple of approaches to combine data from 2 events into 1. The &lt;CODE&gt;transaction&lt;/CODE&gt; command is one option (but perhaps not the best performing one), alternatives could be to use something like &lt;CODE&gt;streamstats&lt;/CODE&gt; or &lt;CODE&gt;autoregress&lt;/CODE&gt;.&lt;/P&gt;</description>
      <pubDate>Mon, 07 May 2018 09:57:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-the-Splunk-log/m-p/383697#M69076</guid>
      <dc:creator>FrankVl</dc:creator>
      <dc:date>2018-05-07T09:57:25Z</dc:date>
    </item>
    <item>
      <title>Re: Extract date from the Splunk log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-the-Splunk-log/m-p/383698#M69077</link>
      <description>&lt;P&gt;Just a hint: Use regex101.com. You can put it in your regex and example data, and any regex that works there (and extracts named capture groups) most likely also works in Splunk.&lt;BR /&gt;
Entering your regex there would've shown you that you're missing the named capture groups, for example. &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 07 May 2018 10:13:55 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Extract-date-from-the-Splunk-log/m-p/383698#M69077</guid>
      <dc:creator>xpac</dc:creator>
      <dc:date>2018-05-07T10:13:55Z</dc:date>
    </item>
  </channel>
</rss>

