topic Re: How to remove a few characters at the beginning of a field? in Splunk Search

How to remove a few characters at the beginning of a field?

pench2k19 — Tue, 12 Mar 2019 14:23:33 GMT

Hi Team,

I have the following field values and i want extract only the highlighted values from it.

utility_extract10_DELTA_708**2019-03-12 06:03:33**
utility_extract1_DELTA_708**2019-03-12 06:06:27**

Can you please give me a solution to this?

Re: How to remove a few characters at the beginning of a field?

vnravikumar — Tue, 12 Mar 2019 14:27:39 GMT

Can you specify the required text

Re: How to remove a few characters at the beginning of a field?

pench2k19 — Tue, 12 Mar 2019 14:38:02 GMT

2019-03-12 06:03:33
2019-03-12 06:06:27

Re: How to remove a few characters at the beginning of a field?

pench2k19 — Tue, 29 Sep 2020 23:37:06 GMT

actual field values are like below

utility_extract10_DELTA_7082019-03-12 06:03:33
utility_extract1_DELTA_7082019-03-12 06:06:27

i want to extract

2019-03-12 06:03:33
2019-03-12 06:06:27 respectively

Re: How to remove a few characters at the beginning of a field?

vnravikumar — Tue, 12 Mar 2019 14:42:17 GMT

Try like

yourquery|rex field=msg "_\d{3}(?P<date>\d{4}.+)"

yourquery|rex field=msg "\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}$"

Re: How to remove a few characters at the beginning of a field?

pench2k19 — Tue, 29 Sep 2020 23:37:14 GMT

no this is not working for all the values...i have 22 values for msg field before apply this rex, but after i apply its showing only 20 values...for 2 values the regex is not appropriate..

Posting here few more values from that value

utility_extract10_DELTA_7082019-03-12 06:03:33
utility_extract10_DELTA_9362019-03-12 06:07:00
utility_extract11_DELTA_7082019-03-12 06:08:17
utility_extract11_DELTA_9362019-03-12 06:07:35
utility_extract12_DELTA_7082019-03-12 06:08:39
utility_extract13_DELTA_7082019-03-12 06:08:40
utility_extract13_DELTA_9362019-03-12 06:10:21
utility_extract14_DELTA_7082019-03-12 06:09:52
utility_extract1_DELTA_7082019-03-12 06:06:27
utility_extract1_DELTA_9362019-03-12 06:06:51

i just neeed to extract the date and time from that field

Re: How to remove a few characters at the beginning of a field?

Vijeta — Tue, 12 Mar 2019 14:58:07 GMT

@pench2k19 You can use the below rex command , suppose your field name is x

 <your query>|rex field=x "_\d+.*(?P<date>\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2})"

Re: How to remove a few characters at the beginning of a field?

pench2k19 — Tue, 12 Mar 2019 15:01:24 GMT

no luck..its still missing 2 values before and after we apply rex expression

Re: How to remove a few characters at the beginning of a field?

nickhills — Tue, 12 Mar 2019 15:01:41 GMT

hi @pench2k19

   |rex  "\*?(?P<my_time>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\*?" max_match=0

This will give you a new field called 'my_time' with just your extracted date.

This should work, given your source data: see https://regex101.com/r/hZQsA9/2

Re: How to remove a few characters at the beginning of a field?

pench2k19 — Tue, 29 Sep 2020 23:37:17 GMT

no luck with this as well.

as i said in my previous comments i have 22 values like the follwoing in one field

but after i apply above regex it is giving me only 20 values result in the output, 2 values are missing

Re: How to remove a few characters at the beginning of a field?

Vijeta — Tue, 12 Mar 2019 15:17:08 GMT

@pench2k19 Are you sure, I tried the below query and it resulted in appropriate date/time value in date field.

|makeresults|eval x="utility_extract10_DELTA_708*2019-03-12 06:03:33"| appendpipe[|eval x="utility_extract1_DELTA_7082019-03-12 06:06:27*"]|rex field=x "_\d+.*(?P<date>\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2})"

Re: How to remove a few characters at the beginning of a field?

vnravikumar — Tue, 12 Mar 2019 15:29:00 GMT

If possible can you please post that two msg that was missing

Re: How to remove a few characters at the beginning of a field?

vnravikumar — Tue, 12 Mar 2019 15:38:27 GMT

try this rex _.+(?P<date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})

Re: How to remove a few characters at the beginning of a field?

vnravikumar — Tue, 12 Mar 2019 16:28:19 GMT

Have you tried?