Solved: How do I extract this date time field from my samp...

cyberportnoc · ‎07-28-2016

I used this search, but it is not extracting the date time field properly. I will use this date time as a common field to join openstack api to find a public ip.

"conn" | rex field=_raw "(?P...\d+\d+:\d+:\d+)"

2nd try, also no result:

"conn" | rex field=_raw "(?P\[\s*(\d+/\D+/.*?)\])" | stats count by ddate

Sample event:

Jul 28 09:52:47 icns02 slapd[17684]: conn=1228614 fd=22 closed

inventsekar · ‎07-28-2016

Tested this and works fine:

conn | rex field=_raw "^(?P\w+\s+\d+\s+\d+:\d+:\d+)" | stats count by ddate

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

inventsekar · ‎07-28-2016

May I know if that rex on my reply worked fine or not.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

inventsekar · ‎07-28-2016

Tested this and works fine:

conn | rex field=_raw "^(?P\w+\s+\d+\s+\d+:\d+:\d+)" | stats count by ddate

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

How do I extract this date time field from my sample data using rex?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?

How do I extract this date time field from my sample data using rex?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside