Solved: How to extract Date and Time from the raw logs

aditsss · ‎09-29-2020

Hi Everyone,

Below is my data( raw logs)

pod_name=node-fdzz message=2020-09-25 21:09:33.969 ERROR [node,00e,4deca,false]67 --- [r-84-548] c.r.Resolver

How do I extract Date and time 2020-09-25 21:09:33.969 from the above log data?

Can anyone guide me on this.

ITWhisperer · ‎09-29-2020

index=abc ns=sigh nodeException node="*" Id=* |rex "message=(?P<datetime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\.\d+)\s"|fields datetime

You don't need field= as the default field is _raw - if you want to specify it explicitly then use

index=abc ns=sigh nodeException node="*" Id=* |rex field=_raw "message=(?P<datetime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\.\d+)\s"|fields datetime

ITWhisperer · ‎09-29-2020

This regex will extract the datetime

"message=(?P<datetime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\.\d+)\s"

aditsss · ‎09-29-2020

I tried like below . Not able to get any result

Where I am going wrong!

index=abc ns=sigh nodeException node="*" Id=* |rex field="message=(?P<datetime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\.\d+)\s"|fields datetime

ITWhisperer · ‎09-29-2020

Ideally, this extract should be done at indexing time

ITWhisperer · ‎09-29-2020

index=abc ns=sigh nodeException node="*" Id=* |rex "message=(?P<datetime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\.\d+)\s"|fields datetime

You don't need field= as the default field is _raw - if you want to specify it explicitly then use

index=abc ns=sigh nodeException node="*" Id=* |rex field=_raw "message=(?P<datetime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\.\d+)\s"|fields datetime

aditsss · ‎09-29-2020

Thank you once again . It works exactly the way I want.

How to extract Date and Time from the raw logs