Splunk Search

How to edit my regular expression to extract the date and time from my sample data?

dbcase
Motivator

Hi,

I have data that looks like this:

"-" 10.30.28.1 "10.30.28.1" - - [09/Sep/2016:16:58:31 -0500] "GET /ICHealthCheck/serverstatus HTTP/1.0" 200 2 0 UCT-11666 "-" "-" "-"

And I'm trying to write a regular expression that extracts several fields:

So far I have:

(?P<host>[^"]+)[^ \n]* (?P<remote_host>[^ ]+)\s+(?P<x_forwarded_for>[^ ]+)\s+(?P<remote_logname>[^ ]+)\s+(?P<remote_user>\-)\s+

And this works, but I'm stuck at extracting the date and time 09/Sep/2016:16:58:31 in this case. The [ is throwing me off.

0 Karma
1 Solution

sundareshr
Legend

For Date & Time, this should work. Also I would not recommend creating one big regex, even if one character position changes, your fields will not be exractracted and will become very difficult to debug. I would recommend treating this as a space delimited in field extraction UI (IFX). Regardless, for date/time, you need to escape the [ & ] chars. Like this

\[(?<datetime>[^\s]+)

View solution in original post

sundareshr
Legend

For Date & Time, this should work. Also I would not recommend creating one big regex, even if one character position changes, your fields will not be exractracted and will become very difficult to debug. I would recommend treating this as a space delimited in field extraction UI (IFX). Regardless, for date/time, you need to escape the [ & ] chars. Like this

\[(?<datetime>[^\s]+)

dbcase
Motivator

Thanks Sundareshr! Maybe a space delimited extraction is the way to go. Let me try that instead.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...