Dashboards & Visualizations

how to extract date using rex?

avneet26
Engager

how to extract date using rex command ? format is "time":"2020-12-04+01:00"

Labels (1)
0 Karma

Kumar2
Loves-to-Learn Lots

@gcusello Hi sir How to write rex command for this extracting this fields into date and file 

Jan 22 06:53 | 21361MA54268.done

Can you please help me .Thanks in Advance 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Kumar2,

if you want to extarct the "Time" field, you can use a regex:

| rex "^(?<time>[^\|]+)"

if instead you want to use it as event timestamp, you have to put in your props.conf:

[your_sourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M

Ciao.

Giuseppe

Kumar2
Loves-to-Learn Lots

Thank you sir 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Kumar2,

good for you, see next time.

eventually, next time, open a new question, even if similar to another, so you can accept the answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

avneet26
Engager

Hi, yes i am sure about the format. can you help me how i can extract only the date from the format i have given example - from field "time":"2020-12-04+01:00" , if i want to extract only 2020-12-04 then how can i do that?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @avneet26,
if you want to extarct the "Time" field, you can use a regex:

| rex "\"time\":\"(?<time>\d+-\d+-\d+)"

if instead you want to use it as event timestamp, you have to put in your props.conf:

[your_sourcetype]
TIME_PREFIX =  \"time\":\"
TIME_FORMAT = %Y-%m-%d

Ciao.

Giuseppe

avneet26
Engager

is it possible if we can extract only the date from the time field?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @avneet26,

the regex I sent you is correct as you can check at https://regex101.com/r/GZafMf/1

Are you sure about the sample date you share? it's a strange timestamp: date and timezone without time!

Could you share other samples?

Ciao.

Giuseppe

0 Karma

avneet26
Engager

Hi.. i want the complete date field . for example i have taken the field "time":"2020-12-04+01:00" i will to extract starting from 2020 till 01:00 but using the first option you gave its not working. pls help.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @avneet26,

do you want:

  • to extract a date field from a log and put it in a field,
  • to parse a date at index time,
  • to display a date in a different format (e.g. from epochtime to your format)?

At first the date you used as sample is strange because it's a date with the timezone and without the time.

Anyway, in the first case, you can use a regex:

| rex "\"time\":\"(?<time>[^\"]+)\"

In the second case the TIME_FORMAT is (only for the date you shared!):

TIME_FORMAT=%Y-%m-%d%:z

  If you want to display an epochtime date to the format you shared:

| eval time=strftime(time,"%y-%m-%d%:z")

or if you want to transfroma the date you shared in epochtime, the same using "strptime" function.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...