Dashboards & Visualizations

how to extract date using rex?

avneet26
Engager

how to extract date using rex command ? format is "time":"2020-12-04+01:00"

Labels (1)
0 Karma

Kumar2
Loves-to-Learn Lots

@gcusello Hi sir How to write rex command for this extracting this fields into date and file 

Jan 22 06:53 | 21361MA54268.done

Can you please help me .Thanks in Advance 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Kumar2,

if you want to extarct the "Time" field, you can use a regex:

| rex "^(?<time>[^\|]+)"

if instead you want to use it as event timestamp, you have to put in your props.conf:

[your_sourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M

Ciao.

Giuseppe

Kumar2
Loves-to-Learn Lots

Thank you sir 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Kumar2,

good for you, see next time.

eventually, next time, open a new question, even if similar to another, so you can accept the answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

avneet26
Engager

Hi, yes i am sure about the format. can you help me how i can extract only the date from the format i have given example - from field "time":"2020-12-04+01:00" , if i want to extract only 2020-12-04 then how can i do that?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @avneet26,
if you want to extarct the "Time" field, you can use a regex:

| rex "\"time\":\"(?<time>\d+-\d+-\d+)"

if instead you want to use it as event timestamp, you have to put in your props.conf:

[your_sourcetype]
TIME_PREFIX =  \"time\":\"
TIME_FORMAT = %Y-%m-%d

Ciao.

Giuseppe

avneet26
Engager

is it possible if we can extract only the date from the time field?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @avneet26,

the regex I sent you is correct as you can check at https://regex101.com/r/GZafMf/1

Are you sure about the sample date you share? it's a strange timestamp: date and timezone without time!

Could you share other samples?

Ciao.

Giuseppe

0 Karma

avneet26
Engager

Hi.. i want the complete date field . for example i have taken the field "time":"2020-12-04+01:00" i will to extract starting from 2020 till 01:00 but using the first option you gave its not working. pls help.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @avneet26,

do you want:

  • to extract a date field from a log and put it in a field,
  • to parse a date at index time,
  • to display a date in a different format (e.g. from epochtime to your format)?

At first the date you used as sample is strange because it's a date with the timezone and without the time.

Anyway, in the first case, you can use a regex:

| rex "\"time\":\"(?<time>[^\"]+)\"

In the second case the TIME_FORMAT is (only for the date you shared!):

TIME_FORMAT=%Y-%m-%d%:z

  If you want to display an epochtime date to the format you shared:

| eval time=strftime(time,"%y-%m-%d%:z")

or if you want to transfroma the date you shared in epochtime, the same using "strptime" function.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...