Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my regular expression to extract the date and time from my sample data?

dbcase
Motivator
‎09-09-2016 03:02 PM

Hi,

I have data that looks like this:

"-" 10.30.28.1 "10.30.28.1" - - [09/Sep/2016:16:58:31 -0500] "GET /ICHealthCheck/serverstatus HTTP/1.0" 200 2 0 UCT-11666 "-" "-" "-"

And I'm trying to write a regular expression that extracts several fields:

So far I have:

(?P<host>[^"]+)[^ \n]* (?P<remote_host>[^ ]+)\s+(?P<x_forwarded_for>[^ ]+)\s+(?P<remote_logname>[^ ]+)\s+(?P<remote_user>\-)\s+

And this works, but I'm stuck at extracting the date and time 09/Sep/2016:16:58:31 in this case. The [ is throwing me off.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-09-2016 03:10 PM

For Date & Time, this should work. Also I would not recommend creating one big regex, even if one character position changes, your fields will not be exractracted and will become very difficult to debug. I would recommend treating this as a space delimited in field extraction UI (IFX). Regardless, for date/time, you need to escape the [ & ] chars. Like this

\[(?<datetime>[^\s]+)

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-09-2016 03:10 PM

For Date & Time, this should work. Also I would not recommend creating one big regex, even if one character position changes, your fields will not be exractracted and will become very difficult to debug. I would recommend treating this as a space delimited in field extraction UI (IFX). Regardless, for date/time, you need to escape the [ & ] chars. Like this

\[(?<datetime>[^\s]+)
Reply
Solved! Jump to solution

dbcase
Motivator
‎09-09-2016 03:15 PM

Thanks Sundareshr! Maybe a space delimited extraction is the way to go. Let me try that instead.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...