Solved: How do I extract this date time field from my samp...

cyberportnoc · ‎07-28-2016

I used this search, but it is not extracting the date time field properly. I will use this date time as a common field to join openstack api to find a public ip.

"conn" | rex field=_raw "(?P...\d+\d+:\d+:\d+)"

2nd try, also no result:

"conn" | rex field=_raw "(?P\[\s*(\d+/\D+/.*?)\])" | stats count by ddate

Sample event:

Jul 28 09:52:47 icns02 slapd[17684]: conn=1228614 fd=22 closed

inventsekar · ‎07-28-2016

Tested this and works fine:

conn | rex field=_raw "^(?P\w+\s+\d+\s+\d+:\d+:\d+)" | stats count by ddate

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

inventsekar · ‎07-28-2016

May I know if that rex on my reply worked fine or not.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

inventsekar · ‎07-28-2016

Tested this and works fine:

conn | rex field=_raw "^(?P\w+\s+\d+\s+\d+:\d+:\d+)" | stats count by ddate

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

How do I extract this date time field from my sample data using rex?

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

How do I extract this date time field from my sample data using rex?

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!