Splunk Search

Help using regex to break a comma separated string

New Member

I have a text string field in my events which contains one or many date/time stamps within the string. The string is comma separated with a leading comma at the beginning of the string and no trailing comma at the end.

Example String:

,05-NOV-19 10.24.36.309000 PM AMERICA/CHICAGO,08-NOV-19 12.30.05.471000 PM AMERICA/CHICAGO,08-NOV-19 12.32.28.525000 PM AMERICA/CHICAGO

I need help writing a regex/rex statement that will break this string and return only the first date/time stamp as emboldened above.

Any help is appreciated.

0 Karma
1 Solution

Esteemed Legend

Like this:

... | rex field=ExistingFieldMaybe_raw "[,\s]+(?<MyCaptureFieldName>[^,]+)"

View solution in original post

0 Karma

Esteemed Legend

Like this:

... | rex field=ExistingFieldMaybe_raw "[,\s]+(?<MyCaptureFieldName>[^,]+)"

View solution in original post

0 Karma

New Member

@woodcock...Thank you for the response. This did work to extract the value I am looking for.

0 Karma

Motivator

You just need the first in the list, use max_match=1

| rex field=<your field> max_match=1 ",(?<first_field>[^,]+)"
0 Karma

New Member

@arjunpkishore5...Thank you for the response. This did work to extract the value I am looking for.

0 Karma

Explorer

Hi , I have this regular expression - [^"\n]"\w+\s+(?P[^"]+)
but when I try to do | rex field =_raw "[^"\n]
"\w+\s+(?P[^"]+)" it doesn't work

0 Karma

SplunkTrust
SplunkTrust

You don't have to use rex. Another way to do it is to use split to break the field at commas then use mvindex to grab the second value.

... | eval foo=mvindex(split(_raw, ","), 1)
---
If this reply helps you, an upvote would be appreciated.

Path Finder

Indeed, I didn't think to solve it with split 🙂

In this case split vs regex:
"Too easy - let's muddle it up some..."

0 Karma

New Member

@richgalloway...Thank you for the response. This did work to extract the value I am looking for.

0 Karma

SplunkTrust
SplunkTrust

@mdurdel, If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Communicator

Hi,

Try this

|rex field=_raw \,(?P<Date>[^\s]+) (?P<Time>[^\s]+) | table Date Time

Regards,
Anantha.

0 Karma