Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to extract date using rex?

avneet26
Engager
‎12-04-2020 01:14 AM

how to extract date using rex command ? format is "time":"2020-12-04+01:00"

Labels (1)
Labels
0 Karma
Reply

Kumar2
Loves-to-Learn Lots
‎12-30-2021 02:49 AM

@gcusello Hi sir How to write rex command for this extracting this fields into date and file 

Jan 22 06:53 | 21361MA54268.done

Can you please help me .Thanks in Advance 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-30-2021 03:10 AM

Hi @Kumar2,

if you want to extarct the "Time" field, you can use a regex:

| rex "^(?<time>[^\|]+)"

if instead you want to use it as event timestamp, you have to put in your props.conf:

[your_sourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M

Ciao.

Giuseppe

Reply

Kumar2
Loves-to-Learn Lots
‎12-30-2021 04:42 AM

Thank you sir 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-30-2021 11:25 PM

Hi @Kumar2,

good for you, see next time.

eventually, next time, open a new question, even if similar to another, so you can accept the answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply

avneet26
Engager
‎12-04-2020 02:33 AM

Hi, yes i am sure about the format. can you help me how i can extract only the date from the format i have given example - from field "time":"2020-12-04+01:00" , if i want to extract only 2020-12-04 then how can i do that?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-30-2021 03:06 AM

Hi @avneet26,
if you want to extarct the "Time" field, you can use a regex:

| rex "\"time\":\"(?<time>\d+-\d+-\d+)"

if instead you want to use it as event timestamp, you have to put in your props.conf:

[your_sourcetype]
TIME_PREFIX =  \"time\":\"
TIME_FORMAT = %Y-%m-%d

Ciao.

Giuseppe

Reply

avneet26
Engager
‎12-04-2020 01:49 AM

is it possible if we can extract only the date from the time field?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-04-2020 02:31 AM

Hi @avneet26,

the regex I sent you is correct as you can check at https://regex101.com/r/GZafMf/1

Are you sure about the sample date you share? it's a strange timestamp: date and timezone without time!

Could you share other samples?

Ciao.

Giuseppe

0 Karma
Reply

avneet26
Engager
‎12-04-2020 01:45 AM

Hi.. i want the complete date field . for example i have taken the field "time":"2020-12-04+01:00" i will to extract starting from 2020 till 01:00 but using the first option you gave its not working. pls help.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-04-2020 01:28 AM

Hi @avneet26,

do you want:

  • to extract a date field from a log and put it in a field,
  • to parse a date at index time,
  • to display a date in a different format (e.g. from epochtime to your format)?

At first the date you used as sample is strange because it's a date with the timezone and without the time.

Anyway, in the first case, you can use a regex:

| rex "\"time\":\"(?<time>[^\"]+)\"

In the second case the TIME_FORMAT is (only for the date you shared!):

TIME_FORMAT=%Y-%m-%d%:z

  If you want to display an epochtime date to the format you shared:

| eval time=strftime(time,"%y-%m-%d%:z")

or if you want to transfroma the date you shared in epochtime, the same using "strptime" function.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...