Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help using regex to break a comma separated string

mdurdel
New Member
‎11-08-2019 11:02 AM

I have a text string field in my events which contains one or many date/time stamps within the string. The string is comma separated with a leading comma at the beginning of the string and no trailing comma at the end.

Example String:

,05-NOV-19 10.24.36.309000 PM AMERICA/CHICAGO,08-NOV-19 12.30.05.471000 PM AMERICA/CHICAGO,08-NOV-19 12.32.28.525000 PM AMERICA/CHICAGO

I need help writing a regex/rex statement that will break this string and return only the first date/time stamp as emboldened above.

Any help is appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-09-2019 03:21 PM

Like this:

... | rex field=ExistingFieldMaybe_raw "[,\s]+(?<MyCaptureFieldName>[^,]+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-09-2019 03:21 PM

Like this:

... | rex field=ExistingFieldMaybe_raw "[,\s]+(?<MyCaptureFieldName>[^,]+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mdurdel
New Member
‎11-11-2019 07:01 AM

@woodcock...Thank you for the response. This did work to extract the value I am looking for.

0 Karma
Reply
Solved! Jump to solution

arjunpkishore5
Motivator
‎11-09-2019 11:07 AM

You just need the first in the list, use max_match=1

| rex field=<your field> max_match=1 ",(?<first_field>[^,]+)"
0 Karma
Reply
Solved! Jump to solution

mdurdel
New Member
‎11-11-2019 07:05 AM

@arjunpkishore5...Thank you for the response. This did work to extract the value I am looking for.

0 Karma
Reply
Solved! Jump to solution

rashi83
Explorer
‎11-08-2019 12:24 PM

Hi , I have this regular expression - [^"\n]"\w+\s+(?P[^"]+)
but when I try to do | rex field =_raw "[^"\n]"\w+\s+(?P[^"]+)" it doesn't work

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-08-2019 11:57 AM

You don't have to use rex. Another way to do it is to use split to break the field at commas then use mvindex to grab the second value.

... | eval foo=mvindex(split(_raw, ","), 1)
---
If this reply helps you, an upvote would be appreciated.
Reply
Solved! Jump to solution

manuelostertag
Path Finder
‎12-20-2019 05:59 AM

Indeed, I didn't think to solve it with split 🙂

In this case split vs regex:
"Too easy - let's muddle it up some..."

0 Karma
Reply
Solved! Jump to solution

mdurdel
New Member
‎11-11-2019 07:02 AM

@richgalloway...Thank you for the response. This did work to extract the value I am looking for.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2019 10:22 AM

@mdurdel, If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Anantha123
Communicator
‎11-08-2019 11:15 AM

Hi,

Try this

|rex field=_raw \,(?P<Date>[^\s]+) (?P<Time>[^\s]+) | table Date Time

Regards,
Anantha.

0 Karma
Reply
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!