TIME_FORMAT regex help

Esky73 · ‎01-30-2017

12/02/2015 12:00:00 AM, Execute time: 0150

looking to extract the date and the 24hr time pls

jplumsdaine22 · ‎01-31-2017

See here for the time format variables
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

Assuming the date is month/day/year and the time is a 12 hour clock (not 24 hour as you say), try
TIME_FORMAT = %m/%d/%Y %I:%M:%S %p

Esky73 · ‎01-31-2017

it is definitely 24h - thanks i'll try first thing in the morn

jplumsdaine22 · ‎01-31-2017

If its 24 hours, why does it have a AM/PM ? 16:00:00 AM wouldn't make much sense!

Esky73 · ‎01-31-2017

i see your point - however, further entries:

12/02/2015 12:00:00 AM, Execute Time: 1415
12/02/2015 12:00:00 AM, Execute Time: 1500
12/02/2015 12:00:00 AM, Execute Time: 1515
12/02/2015 12:00:00 AM, Execute Time: 1315

harshal_chakran · ‎01-30-2017

Try this:

rex field=_raw "(?ms)^(?P\d{2}\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2}\s+\w{2})"

You can use Splunk's "Extract Fields" from Event Actions to perform the same.

Esky73 · ‎01-30-2017

hi thanks - i'm trying to do this in a props.conf file - not in a search

TIME_FORMAT regex help

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?

TIME_FORMAT regex help

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions