topic Re: interesting regex in Splunk Search

interesting regex

dbcase — Thu, 12 Jul 2018 18:25:48 GMT

Hi,

I have data that looks like this

2018-06-11 23:37:11,035 pool-10-thread-1 DEBUG c.i.w.i.s.WholesaleCVRService

2018-06-11 23:37:09,386 pool-10-thread-1 DEBUG c.i.w.i.s.WholesaleCVRService - In register camera update event, with accessToken 

2018-06-11 23:37:07,763 pool-10-thread-1 DEBUG c.i.w.i.s.WholesaleCVRService - Reponse of camera update event

I need to be able to extract out the date and time on each event . (i.e. 2018-06-11 23:37:11,035)

Re: interesting regex

kamlesh_vaghela — Thu, 12 Jul 2018 18:42:57 GMT

@dbcase,

Are you looking for this?

| makeresults | eval _raw="2018-06-11 23:37:07,763 pool-10-thread-1 DEBUG c.i.w.i.s.WholesaleCVRService - Reponse of camera update event " | rex field=_raw "(?<my_date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3})" | table my_date

Re: interesting regex

dbcase — Thu, 12 Jul 2018 18:55:06 GMT

Thanks Kamlesh! that works!!!!

Re: interesting regex

kamlesh_vaghela — Thu, 12 Jul 2018 18:57:58 GMT

Great!!
Can you please accept the answer to close this question?

Re: interesting regex

cpetterborg — Thu, 12 Jul 2018 19:04:55 GMT

If the data is going into Splunk correctly, then you should have the time in the variable _time as well as getting access to each of the fields named date_* for the year, month, day, hour, minute, second. You would not get the sub-second value automatically. The _time field can be output in any number of formats. So you should have that same data available to you without having to use a regex.

If on the other hand you have need of that date specifically, then you can use a regex (like that provided by @kamiesh_veghela). Do you need that date broken up into different fields? If so, that is another regex, but can be done easily enough.

Re: interesting regex

richgalloway — Sat, 12 Jan 2019 21:07:25 GMT

@dbcase If your problem is resolved, please accept the answer to help future readers and to give the answerer the promised Karma points.