I have a text string field in my events which contains one or many date/time stamps within the string. The string is comma separated with a leading comma at the beginning of the string and no trailing comma at the end.
,05-NOV-19 10.24.36.309000 PM AMERICA/CHICAGO,08-NOV-19 12.30.05.471000 PM AMERICA/CHICAGO,08-NOV-19 22.214.171.1245000 PM AMERICA/CHICAGO
I need help writing a regex/rex statement that will break this string and return only the first date/time stamp as emboldened above.
Any help is appreciated.
While using split I am facing an issue, in my events I have null values for a filed sometimes.
for sexample -
f1,f2,f3,f4,f5 - this works perfectly
but below data with missing values in few fields giving issues.
split commands suggests f5 is f4
Can this be handled ?
Thanks in advance!!!
You don't have to use
rex. Another way to do it is to use
split to break the field at commas then use
mvindex to grab the second value.
... | eval foo=mvindex(split(_raw, ","), 1)