topic Re: How to use rex and sed to insert '-' and ':' in the result? in Splunk Search

How to use rex and sed to insert '-' and ':' in the result?

nilotpaldutta — Mon, 15 Jun 2015 11:32:02 GMT

Hi, I'm new to Splunk. I have a query that extracts the date and time from the name of a log file. Logfile names are like e.g. XXXXXXXX_20150615133030.log. My query successfully returns the desired output which is 20150615133030. This is as per my requirement.

Now, i would like to edit the number to show like this -- "2015-06-15 13:30:30".
I tried the following command in bash prompt and it works -- sed 's/^\(.\{4\}\)\(.\{2\}\)\(.\{2\}\)\(.\{2\}\)\(.\{2\}\)/\1-\2-\3 \4:\5:/g' numbers.txt and it works fine. But this is not working when i use it in my Splunk query.

Please answer if anyone knows. Thanks in advance.

Re: How to use rex and sed to insert '-' and ':' in the result?

richgalloway — Mon, 15 Jun 2015 11:45:20 GMT

What is the Splunk query that is failing?

Re: How to use rex and sed to insert '-' and ':' in the result?

stephanefotso — Mon, 15 Jun 2015 11:50:22 GMT

Also, why don't you edit your props.conf for it? I think it will be easy!

Re: How to use rex and sed to insert '-' and ':' in the result?

nilotpaldutta — Mon, 15 Jun 2015 12:04:51 GMT

index=myindex | dedup source | sort -source | dedup sourcetype | rex field=source mode=sed "s/[^0-9]*//g" | rename source as date | rex field=date mode=sed "s/(\d{4}-){1}/2015-/g" | table sourcetype, date

source and sourcetype are two fields i'm retrieving.

Re: How to use rex and sed to insert '-' and ':' in the result?

nilotpaldutta — Mon, 15 Jun 2015 12:18:48 GMT

Thanks for your response. Can you please post an example?
I'm not looking to standardize my output. Just need it once for the above query.
I might be wrong but isn't editing any config file going to always return results of other queries also in one particular format?

Re: How to use rex and sed to insert '-' and ':' in the result?

yannK — Mon, 15 Jun 2015 12:34:28 GMT

in the search query, the sed string is between double quotes. Therefore you have to escape or double escape some symbols.

PS: in the props.conf you do not need the extra escape.

Re: How to use rex and sed to insert '-' and ':' in the result?

richgalloway — Mon, 15 Jun 2015 12:51:59 GMT

Your search is failing because the date field does not have a hyphen in it. This should work (your original sed string has far too many escapes).

rex field=date mode=sed "s/(.{4})(.{2})(.{2})(.{2})(.{2})/\1-\2-\3 \4:\5:/"

Re: How to use rex and sed to insert '-' and ':' in the result?

nilotpaldutta — Tue, 16 Jun 2015 05:48:52 GMT

Thank you. This works for me. 🙂

Re: How to use rex and sed to insert '-' and ':' in the result?

richgalloway — Tue, 16 Jun 2015 12:30:15 GMT

Please accept the answer.