Solved: Re: How to extract a date from a string?

rmuraly · ‎06-15-2017

Hi,

I have a string
'ABC_GFD_NOCS_RPT_HIST_2017-05-12_5min.csv'

How do I extract '2017-05-12' from 'ABC_GFD_NOCS_RPT_HIST_2017-05-12_5min.csv' in my saved search?

niketn · ‎06-15-2017

You might have to add mocked up raw data and also your search for us to help you better. However, based on what you have provided please try following regular expression:

| rex field=_raw "_(?<Date>\d{4}-\d{2}-\d{2})_"
| table Date _raw

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎06-15-2017

You might have to add mocked up raw data and also your search for us to help you better. However, based on what you have provided please try following regular expression:

| rex field=_raw "_(?<Date>\d{4}-\d{2}-\d{2})_"
| table Date _raw

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎06-15-2017

@rmuraly, I have converted my comment as answer. Please accept to mark the question as answered.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

rmuraly · ‎06-15-2017

I had to extract the date from my source file and this helps me do it.

| stats count | eval source="ABC_GFD_NOCS_RPT_HIST_2017-05-12_5min.csv"| rex field=source"(?\d{4}-\d{2}-\d{2})"
| table Date,source

Thank you

somesoni2 · ‎06-15-2017

If this string is part of an already extracted field, say file_path, then in rex command, use file_path instead of _raw.

rmuraly · ‎06-15-2017

I had to extract the date from my source file and this helps me do it.

| stats count | eval source="ABC_GFD_NOCS_RPT_HIST_2017-05-12_5min.csv"| rex field=source"(?\d{4}-\d{2}-\d{2})"
| table Date,source

Thank you

How to extract a date from a string?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms