Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract this date and time from a string in the format YYYYMMDDHHMMSS, and output it as DD:MM:YYYY HH:MM:SS AM?

nilotpaldutta
Explorer
‎12-03-2015 03:31 AM

Hi,

I have a search that gives me the following output:

/u01/splunk/etc/apps/sampleApp/data/order-20151203120002.log

How can I extract the date and time from the above output and show it in a column like:

03:12:2015 12:00:02 AM (or PM)

Looking forward to your help. Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ludoz13
Path Finder
‎12-03-2015 04:42 AM

Hi,

Have you try this :

...... | rex field=test ".*-(?P\d+)\.log$" | eval date=strptime(date,"%Y%m%d%H%M%S")  | convert timeformat="%d:%m:%Y %H:%M:%S" ctime(date)

In my side, it seems to work 

| stats count | eval test="/u01/splunk/etc/apps/sampleApp/data/order-20151203120002.log"| rex field=test ".*-(?P\d+)\.log$" | eval date=strptime(date,"%Y%m%d%H%M%S")  | convert timeformat="%d:%m:%Y %H:%M:%S" ctime(date)

LudoZ

View solution in original post

Reply
Solved! Jump to solution
Solution

ludoz13
Path Finder
‎12-03-2015 04:42 AM

Hi,

Have you try this :

...... | rex field=test ".*-(?P\d+)\.log$" | eval date=strptime(date,"%Y%m%d%H%M%S")  | convert timeformat="%d:%m:%Y %H:%M:%S" ctime(date)

In my side, it seems to work 

| stats count | eval test="/u01/splunk/etc/apps/sampleApp/data/order-20151203120002.log"| rex field=test ".*-(?P\d+)\.log$" | eval date=strptime(date,"%Y%m%d%H%M%S")  | convert timeformat="%d:%m:%Y %H:%M:%S" ctime(date)

LudoZ

Reply
Solved! Jump to solution

nilotpaldutta
Explorer
‎12-03-2015 08:04 PM

Hi lodoz13,
Thanks for the answer.

I am getting this error now -

Error in 'rex' command: Encountered the following error while compiling the regex '.*-(?P\d+)\.log$': Regex: unrecognized character after (?P

This is my search:

index="_index"| dedup source | sort -source | dedup sourcetype | table sourcetype, source | rex field=source ".*-(?P\d+)\.log$" | eval date=strptime(date,"%Y%m%d%H%M%S")  | convert timeformat="%d:%m:%Y %H:%M:%S" ctime(date)

Am I doing something wrong?

TIA

0 Karma
Reply
Solved! Jump to solution

nilotpaldutta
Explorer
‎12-03-2015 10:40 PM

It's working now. Just had to add escape character before d+ and add a place holder for the extracted field.

index="_index"| dedup source | sort -source | dedup sourcetype | table sourcetype, source | rex field=source ".*-(?P<date>\d+)\.log$" | eval date=strptime(date,"%Y%m%d%H%M%S")  | convert timeformat="%d:%m:%Y %H:%M:%S" ctime(date)

Thanks for your help. I'm accepting your answer.

Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...