how to eliminate the required values in field

james_n · ‎01-12-2021

Hi Experts,

Please help with regex to parse the hh:mm:ss into separate filed as show below.

message:

hello this is the first message from splunk 12:45:13
hai this is the second message from splunk
hello this is the third message from splunk 19:43:53

expected outpout:

subject: time:
hello this is the first message from splunk 12:45:13
hai this is the second message from splunk
hello this is the third message from splunk 19:43:53

| rex field=message "(?<subject>.\w+)\s*(?<time>.\d+:\d+:\d+)?" but not worked. plz help thanks in advance.

bowesmana · ‎01-12-2021

@james_n

This will work for your example, but not sure if it will work for all your data

| rex field=message "(?<subject>.*) (?<time>\d+:\d+:\d+)?"

to4kawa · ‎01-12-2021

please rex separately.

how to eliminate the required values in field

development

using Splunk Enterprise

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

how to eliminate the required values in field

development

using Splunk Enterprise

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem