Dashboards & Visualizations

how to extract date using rex?

avneet26
Engager

how to extract date using rex command ? format is "time":"2020-12-04+01:00"

Labels (1)
0 Karma

Kumar2
Loves-to-Learn Lots

@gcusello Hi sir How to write rex command for this extracting this fields into date and file 

Jan 22 06:53 | 21361MA54268.done

Can you please help me .Thanks in Advance 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Kumar2,

if you want to extarct the "Time" field, you can use a regex:

| rex "^(?<time>[^\|]+)"

if instead you want to use it as event timestamp, you have to put in your props.conf:

[your_sourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M

Ciao.

Giuseppe

Kumar2
Loves-to-Learn Lots

Thank you sir 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Kumar2,

good for you, see next time.

eventually, next time, open a new question, even if similar to another, so you can accept the answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

avneet26
Engager

Hi, yes i am sure about the format. can you help me how i can extract only the date from the format i have given example - from field "time":"2020-12-04+01:00" , if i want to extract only 2020-12-04 then how can i do that?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @avneet26,
if you want to extarct the "Time" field, you can use a regex:

| rex "\"time\":\"(?<time>\d+-\d+-\d+)"

if instead you want to use it as event timestamp, you have to put in your props.conf:

[your_sourcetype]
TIME_PREFIX =  \"time\":\"
TIME_FORMAT = %Y-%m-%d

Ciao.

Giuseppe

avneet26
Engager

is it possible if we can extract only the date from the time field?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @avneet26,

the regex I sent you is correct as you can check at https://regex101.com/r/GZafMf/1

Are you sure about the sample date you share? it's a strange timestamp: date and timezone without time!

Could you share other samples?

Ciao.

Giuseppe

0 Karma

avneet26
Engager

Hi.. i want the complete date field . for example i have taken the field "time":"2020-12-04+01:00" i will to extract starting from 2020 till 01:00 but using the first option you gave its not working. pls help.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @avneet26,

do you want:

  • to extract a date field from a log and put it in a field,
  • to parse a date at index time,
  • to display a date in a different format (e.g. from epochtime to your format)?

At first the date you used as sample is strange because it's a date with the timezone and without the time.

Anyway, in the first case, you can use a regex:

| rex "\"time\":\"(?<time>[^\"]+)\"

In the second case the TIME_FORMAT is (only for the date you shared!):

TIME_FORMAT=%Y-%m-%d%:z

  If you want to display an epochtime date to the format you shared:

| eval time=strftime(time,"%y-%m-%d%:z")

or if you want to transfroma the date you shared in epochtime, the same using "strptime" function.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...