Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Extract time from log

shwetamis
Explorer
‎12-03-2019 11:44 AM

Below is my data
2019-12-03 14:20:55,679 ------------------ Begin Request -----------------

How do I extract begin time 14:20:55 from the above log data?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vnravikumar
Champion
‎12-03-2019 06:47 PM

Hi

Try this

| makeresults 
| eval temp="2019-12-03 14:20:55,679 ------------------ Begin Request -----------------" 
| rex field=temp "\d{4}-\d{2}-\d{2}\s(?P<beginTime>\d{2}:\d{2}:\d{2})"

View solution in original post

Reply
Solved! Jump to solution
Solution

vnravikumar
Champion
‎12-03-2019 06:47 PM

Hi

Try this

| makeresults 
| eval temp="2019-12-03 14:20:55,679 ------------------ Begin Request -----------------" 
| rex field=temp "\d{4}-\d{2}-\d{2}\s(?P<beginTime>\d{2}:\d{2}:\d{2})"
Reply
Solved! Jump to solution

shwetamis
Explorer
‎12-04-2019 06:14 AM

Thank you this one worked.

0 Karma
Reply
Solved! Jump to solution

shwetamis
Explorer
‎12-04-2019 06:16 AM

Also I don't want to hardcode the time in the search, as it is not for one transaction, how to I do that ?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-03-2019 02:25 PM

Like this:

... | eval begin=strptime(_raw, "%Y-%m-%d %H:%M:%S,%3N")
0 Karma
Reply
Solved! Jump to solution

shwetamis
Explorer
‎12-04-2019 06:18 AM

is _raw field that hold values of time ? if so then it returns raw data it doesn't return the time

0 Karma
Reply
Solved! Jump to solution

aberkow
Builder
‎12-03-2019 01:12 PM

If you're sure that is the raw format for all of your logs, you can write a simple regex leveraging the rex command https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Rex#Syntax. Rough example syntax below:

{code}
| makeresults count=1
| eval _raw="2019-12-03 14:20:55,679 ------------------ Begin Request -----------------"
| rex field=_raw ".\s(?.),.*"

{code}

If you run this code, you can see that I generate a similar event to the line you posted above, and then run the rex command with a capturing group around "timeStamp", which is anything after the first whitespace up until the first comma. For your case you don't need to generate the _raw field as that is just a representation of the log you already have on your machine.

Why I call this "rough" syntax is you want to make sure the regex works for all of your log formats, so this means either running it against multiple logs and making sure that the timeStamp field is always populated or iterating on the regex (I like regex101.com for that, it has a workspace and good tips on the side) since you will have access to more log information than me. In general, using the rex command is a great way to extract information from a string in Splunk though!

Hope this helps!

0 Karma
Reply
Solved! Jump to solution

shwetamis
Explorer
‎12-04-2019 06:16 AM

I don't want to hardcode the time, as I am searching for multiple transactions

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...