https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-for-unmapped-queries/m-p/457795#M129289 <P>Yes. I understand Naresh. Thanks for your answer. I accept your answer as well.</P> Thu, 22 Aug 2019 07:09:42 GMT Nidd 2019-08-22T07:09:42Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-for-unmapped-queries/m-p/457792#M129286 <P>I have Splunk logs like:</P> <PRE><CODE>class,method,user,transactionType,,428856645467856301,1073258159,50213,5,2019-08-21 23:17:58.562,2019-08-21 23:17:58.994,432,,,,4,45170632,19634442,,,,159,52297220,801767,,,,,,,b4a954df-8c77-4a30-b4ac-68ec9afe9a48,,,,TransactionType=transactionType| </CODE></PRE> <P>There would be many many logs of this format.</P> <P>I now need to extract a couple of timestamps and populate in a table. Eg: '2019-08-21 23:17:58.562' and '2019-08-21 23:17:58.994,432' from the above log and display as:<BR /> -------------------------------------------------------------------<BR /> StartTime EndTime<BR /> -------------------------------------------------------------------<BR /> 2019-08-21 23:17:58.562 2019-08-21 23:17:58.994<BR /> -------------------------------------------------------------------</P> <P>Can someone please help?</P> Thu, 22 Aug 2019 06:48:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-for-unmapped-queries/m-p/457792#M129286 Nidd 2019-08-22T06:48:52Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-for-unmapped-queries/m-p/457793#M129287 <P>Try this: Keep in mind that this only helps if the time placements are at the same position for all your log content. If your input is of csv format with all headers, extraction would have been easy</P> <PRE><CODE>|makeresults |eval _raw="class,method,user,transactionType,,428856645467856301,1073258159,50213,5,2019-08-21 23:17:58.562,2019-08-21 23:17:58.994,432,,,,4,45170632,19634442,,,,159,52297220,801767,,,,,,,b4a954df-8c77-4a30-b4ac-68ec9afe9a48,,,,TransactionType=transactionType" |eval fields=split(_raw,",") | eval Start_time=mvindex(fields,9), End_time=mvindex(fields,10) | table Start_time End_time </CODE></PRE> Thu, 22 Aug 2019 07:04:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-for-unmapped-queries/m-p/457793#M129287 nareshinsvu 2019-08-22T07:04:24Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-for-unmapped-queries/m-p/457794#M129288 <P>Found this:</P> <PRE><CODE>&lt;mySearch&gt; | rex "^(?:(?&lt;TransactionStartTime&gt;[^,]*),){10}" | rex "^(?:(?&lt;TransactionEndTime&gt;[^,]*),){11}" | table TransactionStartTime, TransactionEndTime </CODE></PRE> Thu, 22 Aug 2019 07:08:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-for-unmapped-queries/m-p/457794#M129288 Nidd 2019-08-22T07:08:42Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-for-unmapped-queries/m-p/457795#M129289 <P>Yes. I understand Naresh. Thanks for your answer. I accept your answer as well.</P> Thu, 22 Aug 2019 07:09:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-regex-for-unmapped-queries/m-p/457795#M129289 Nidd 2019-08-22T07:09:42Z