Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my regular expression to extract the date and time from my sample data?

dbcase
Motivator
‎09-09-2016 03:02 PM

Hi,

I have data that looks like this:

"-" 10.30.28.1 "10.30.28.1" - - [09/Sep/2016:16:58:31 -0500] "GET /ICHealthCheck/serverstatus HTTP/1.0" 200 2 0 UCT-11666 "-" "-" "-"

And I'm trying to write a regular expression that extracts several fields:

So far I have:

(?P<host>[^"]+)[^ \n]* (?P<remote_host>[^ ]+)\s+(?P<x_forwarded_for>[^ ]+)\s+(?P<remote_logname>[^ ]+)\s+(?P<remote_user>\-)\s+

And this works, but I'm stuck at extracting the date and time 09/Sep/2016:16:58:31 in this case. The [ is throwing me off.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-09-2016 03:10 PM

For Date & Time, this should work. Also I would not recommend creating one big regex, even if one character position changes, your fields will not be exractracted and will become very difficult to debug. I would recommend treating this as a space delimited in field extraction UI (IFX). Regardless, for date/time, you need to escape the [ & ] chars. Like this

\[(?<datetime>[^\s]+)

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-09-2016 03:10 PM

For Date & Time, this should work. Also I would not recommend creating one big regex, even if one character position changes, your fields will not be exractracted and will become very difficult to debug. I would recommend treating this as a space delimited in field extraction UI (IFX). Regardless, for date/time, you need to escape the [ & ] chars. Like this

\[(?<datetime>[^\s]+)
Reply
Solved! Jump to solution

dbcase
Motivator
‎09-09-2016 03:15 PM

Thanks Sundareshr! Maybe a space delimited extraction is the way to go. Let me try that instead.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...