Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to extract date using rex?

avneet26
Engager
‎12-04-2020 01:14 AM

how to extract date using rex command ? format is "time":"2020-12-04+01:00"

Labels (1)
Labels
0 Karma
Reply

Kumar2
Loves-to-Learn Lots
‎12-30-2021 02:49 AM

@gcusello Hi sir How to write rex command for this extracting this fields into date and file 

Jan 22 06:53 | 21361MA54268.done

Can you please help me .Thanks in Advance 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-30-2021 03:10 AM

Hi @Kumar2,

if you want to extarct the "Time" field, you can use a regex:

| rex "^(?<time>[^\|]+)"

if instead you want to use it as event timestamp, you have to put in your props.conf:

[your_sourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M

Ciao.

Giuseppe

Reply

Kumar2
Loves-to-Learn Lots
‎12-30-2021 04:42 AM

Thank you sir 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-30-2021 11:25 PM

Hi @Kumar2,

good for you, see next time.

eventually, next time, open a new question, even if similar to another, so you can accept the answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply

avneet26
Engager
‎12-04-2020 02:33 AM

Hi, yes i am sure about the format. can you help me how i can extract only the date from the format i have given example - from field "time":"2020-12-04+01:00" , if i want to extract only 2020-12-04 then how can i do that?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-30-2021 03:06 AM

Hi @avneet26,
if you want to extarct the "Time" field, you can use a regex:

| rex "\"time\":\"(?<time>\d+-\d+-\d+)"

if instead you want to use it as event timestamp, you have to put in your props.conf:

[your_sourcetype]
TIME_PREFIX =  \"time\":\"
TIME_FORMAT = %Y-%m-%d

Ciao.

Giuseppe

Reply

avneet26
Engager
‎12-04-2020 01:49 AM

is it possible if we can extract only the date from the time field?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-04-2020 02:31 AM

Hi @avneet26,

the regex I sent you is correct as you can check at https://regex101.com/r/GZafMf/1

Are you sure about the sample date you share? it's a strange timestamp: date and timezone without time!

Could you share other samples?

Ciao.

Giuseppe

0 Karma
Reply

avneet26
Engager
‎12-04-2020 01:45 AM

Hi.. i want the complete date field . for example i have taken the field "time":"2020-12-04+01:00" i will to extract starting from 2020 till 01:00 but using the first option you gave its not working. pls help.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-04-2020 01:28 AM

Hi @avneet26,

do you want:

  • to extract a date field from a log and put it in a field,
  • to parse a date at index time,
  • to display a date in a different format (e.g. from epochtime to your format)?

At first the date you used as sample is strange because it's a date with the timezone and without the time.

Anyway, in the first case, you can use a regex:

| rex "\"time\":\"(?<time>[^\"]+)\"

In the second case the TIME_FORMAT is (only for the date you shared!):

TIME_FORMAT=%Y-%m-%d%:z

  If you want to display an epochtime date to the format you shared:

| eval time=strftime(time,"%y-%m-%d%:z")

or if you want to transfroma the date you shared in epochtime, the same using "strptime" function.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top