Re: how to eliminate the required values in field

james_n · ‎01-12-2021

Hi Experts,

Please help with regex to parse the hh:mm:ss into separate filed as show below.

message:

hello this is the first message from splunk 12:45:13
hai this is the second message from splunk
hello this is the third message from splunk 19:43:53

expected outpout:

subject: time:
hello this is the first message from splunk 12:45:13
hai this is the second message from splunk
hello this is the third message from splunk 19:43:53

| rex field=message "(?<subject>.\w+)\s*(?<time>.\d+:\d+:\d+)?" but not worked. plz help thanks in advance.

bowesmana · ‎01-12-2021

@james_n

This will work for your example, but not sure if it will work for all your data

| rex field=message "(?<subject>.*) (?<time>\d+:\d+:\d+)?"

to4kawa · ‎01-12-2021

please rex separately.

how to eliminate the required values in field

development

using Splunk Enterprise

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?