https://community.splunk.com/t5/Splunk-Search/Rex-problem/m-p/490599#M136988 <P>I don't see the differences in the latest query.</P> <P>The events of the last 3 months will all have Year==2020 and Current_Year==2020. Therefore, they will all fail <CODE>where Year!=Current_Year</CODE> and will not be displayed.</P> Wed, 30 Sep 2020 05:12:23 GMT richgalloway 2020-09-30T05:12:23Z https://community.splunk.com/t5/Splunk-Search/Rex-problem/m-p/490596#M136985 <P>Hey<BR /> I'm trying to extract the values from _time to new fields (Year, Month, Day), in order to compare average of events during current month to last 3 months, but it seems like they do not get any value.</P> <P>here is my search:</P> <PRE><CODE> 'soc_events' | search * Rule_Name="*" | eval mytime=strftime(_time, "%Y/%m/%d") | rex field=mytime "(\"?&lt;Year&gt;\d+)/(?&lt;Month\d+)/(?&lt;Day&gt;\d+)\"" | stats count as Count by Year,Month,Day | sort Year,Month,Day | eventstats last(Month) as Current_Month last(Year) as Current_Year | where Month!=CurrentMonth OR Year!=Current_Year | stats avg(Count) as DayAveravge values(Month) as Months by Day </CODE></PRE> Mon, 04 May 2020 14:41:52 GMT https://community.splunk.com/t5/Splunk-Search/Rex-problem/m-p/490596#M136985 henderz 2020-05-04T14:41:52Z https://community.splunk.com/t5/Splunk-Search/Rex-problem/m-p/490597#M136986 <P>The regular expression does not match the data. Since the 'mytime' field does not contain quotation marks, they should not be in the <CODE>rex</CODE> command. Try <CODE>| rex field=mytime "(?&lt;Year&gt;\d+)/(?&lt;Month&gt;\d+)/(?&lt;Day&gt;\d+)"</CODE>.</P> <P>That's not all. Once you filter out all events from the current year using <CODE>| where Month!=CurrentMonth OR Year!=Current_Year</CODE> you're likely to have nothing left.</P> <P>What problem is this query trying to solve?</P> Mon, 04 May 2020 14:59:24 GMT https://community.splunk.com/t5/Splunk-Search/Rex-problem/m-p/490597#M136986 richgalloway 2020-05-04T14:59:24Z https://community.splunk.com/t5/Splunk-Search/Rex-problem/m-p/490598#M136987 <P>well as i said i'm trying compare average of events during current month to last 3 months</P> <P>i did few changes that helped a little :</P> <PRE><CODE> 'soc_events' | search * Rule_Name="*" | eval mytime=strftime(_time, "%Y/%m/%d") | rex field=mytime "("?&lt;Year&gt;\d+)/(?&lt;Month\d+)/(?&lt;Day&gt;\d+)"" | stats count as Count by Year,Month,Day | sort Year,Month,Day | eventstats last(Month) as Current_Month last(Year) as Current_Year | where Month!=Current_Month OR Year!=Current_Year | stats avg(Count) as DayAveravge values(Month) as Months by Day </CODE></PRE> <P>but now the query does not compare the previous months to this one like i wanted it to</P> Mon, 04 May 2020 15:04:31 GMT https://community.splunk.com/t5/Splunk-Search/Rex-problem/m-p/490598#M136987 henderz 2020-05-04T15:04:31Z https://community.splunk.com/t5/Splunk-Search/Rex-problem/m-p/490599#M136988 <P>I don't see the differences in the latest query.</P> <P>The events of the last 3 months will all have Year==2020 and Current_Year==2020. Therefore, they will all fail <CODE>where Year!=Current_Year</CODE> and will not be displayed.</P> Wed, 30 Sep 2020 05:12:23 GMT https://community.splunk.com/t5/Splunk-Search/Rex-problem/m-p/490599#M136988 richgalloway 2020-09-30T05:12:23Z