topic Re: Extract date and time from a message in Splunk Search

Extract date and time from a message

sravani27 — Tue, 22 Aug 2017 17:41:08 GMT

Hi I am trying to extract the date and time from the field "message". It gives me everything after the date and time. I don't want the text after the time.
message
PubAck Packet sent to device 1234A and 12345678910FC at 08-21-2017 22:09:48.401.
Publish message received at 08-21-2017 18:50:04.841 for this service.
Required Output
08-21-2017 22:09:48.401
08-21-2017 18:50:04.841
My regex
rex field=message "at(?.+)"

My result
08-21-2017 22:09:48.401.
08-21-2017 18:50:04.841 for this service.

Re: Extract date and time from a message

skoelpin — Tue, 22 Aug 2017 18:24:49 GMT

Try this. The fieldname will be time

... | rex \sat\s(?<time>\d+\-\d+\-\d+\s\d+:\d+:\d+\.\d+)

Re: Extract date and time from a message

cpetterborg — Tue, 22 Aug 2017 18:36:04 GMT

| makeresults | eval message="Publish message received at 08-21-2017 18:50:04.841 for this service." | rex field=message "at\s+(?P<datetime>\S+\s+\S+)"

Re: Extract date and time from a message

lfedak_splunk — Fri, 25 Aug 2017 23:10:10 GMT

Hey @sravani27, did either of these solutions work for you?