topic Re: regex to split time/date from field in lookup for timechart in Splunk Search

regex to split time/date from field in lookup for timechart

nathanluke86 — Thu, 13 Feb 2020 13:51:05 GMT

I have a lookup and would like to extract the date for a time chart

TIA

manjunathmeti — Thu, 13 Feb 2020 14:27:56 GMT

Try:
| rex field=whenCreated "(?[\d:.\sAPM]+),\s\w{3}\s(?[\d/]+)"

Sample query:

| makeresults | eval whenCreated="04:25.45 PM, Thu 10/01/2015" | rex field=whenCreated "(?<time>[\d:.\sAPM]+),\s\w{3}\s(?<date>[\d/]+)"

oscar84x — Thu, 13 Feb 2020 14:36:09 GMT

Hello. Try this:

| makeresults 
| eval timeStamp="04:24.45 PM, Thu 10/01/2015"
| rex field=timeStamp "(?<time>\d+:\d+\.\d+\s\w+)\,\s\w+\s(?<date>\d+\/\d+\/\d+)"

vnravikumar — Thu, 13 Feb 2020 14:38:14 GMT

Hi @nathanluke86

Try the below rex

| makeresults 
| eval whenCreated="04:25.45 PM, Thu 10/01/2015" 
| rex field=whenCreated "(?P<date>\d{2}\/\d{2}\/\d{4}$)"

nathanluke86 — Thu, 13 Feb 2020 15:05:57 GMT

@oscar84x @manjunathmeti @vnravikumar

I have multiple dates in the whenCreated column in the lookup (240 results all different times).

What I am trying to achieve is to just use the results of the lookup using two fields

timechart user by whenCreated if that make sense

TIA

nathanluke86 — Fri, 14 Feb 2020 09:21:11 GMT

Took line 3 from above Thanks