I have a text string field in my events which contains one or many date/time stamps within the string. The string is comma separated with a leading comma at the beginning of the string and no trailing comma at the end.
,05-NOV-19 10.24.36.309000 PM AMERICA/CHICAGO,08-NOV-19 12.30.05.471000 PM AMERICA/CHICAGO,08-NOV-19 188.8.131.525000 PM AMERICA/CHICAGO
I need help writing a regex/rex statement that will break this string and return only the first date/time stamp as emboldened above.
Any help is appreciated.
You don't have to use
rex. Another way to do it is to use
split to break the field at commas then use
mvindex to grab the second value.
... | eval foo=mvindex(split(_raw, ","), 1)