Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to select second date string from email?

timrich66
Communicator
‎03-02-2018 07:28 AM

Currently, our support team is sent an email that reports start and end times for jobs. It comes from an ancient system so the report cannot be updated. I need to extract jobname, start date/time, end date/time and status. I am having trouble extracting the second date/time. Can someone assist, please?

Here is an example of the email -

JOB RUN REPORT
Jobname Last Start Last End Status
job#1 2018/03/02 23:00:00 2018/03/02 23:01:00 SU
job#2 2018/03/02 23:01:01 2018/03/02 23:01:50 SU
job#3 2018/03/02 23:02:01 2018/03/02 23:03:50 FA
etc etc

These are my rex's to collect the date/time fields - please be gentle, this is my first effort at regex & rex in Splunk.

To Collect the start -
| rex field=_raw "(?(...([0-9]{2}\/[0-9]{2}\/[0-9]{4}).([0-9]{2}:[0-9]{2}:[0-9]{2})))" max_match=0

To Collect the end - this is the one that isn't working because it gets the last digit from the start time.

| rex field=_raw "(?([0-9]..([0-9]{2}\/[0-9]{2}\/[0-9]{4}).([0-9]{2}:[0-9]{2}:[0-9]{2})))" max_match=0

Please let me know if anything needs more explanation. Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-02-2018 09:48 AM

@timrich66, you can write a single rex to extract all the fields you are interested in. Following is a run anywhere search example based on the same data provided above. Instead of the makeresults and eval commands you would need to use your base search to test with the actual data. 

| makeresults
| eval _raw="job#1 2018/03/02 23:00:00 2018/03/02 23:01:00 SU
job#2 2018/03/02 23:01:01 2018/03/02 23:01:50 SU
job#3 2018/03/02 23:02:01 2018/03/02 23:03:50 FA"
| rex "job#(?<job_num>[^\s]+)\s(?<start_time>\d{4}\/\d{2}\/\d{2}\s\d{2}:\d{2}:\d{2})\s(?<end_time>\d{4}\/\d{2}\/\d{2}\s\d{2}:\d{2}:\d{2})\s(?<status>\w+)" max_match=0

PS: For testing and picking up on regular expressions you should check out regex101.com

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-02-2018 09:48 AM

@timrich66, you can write a single rex to extract all the fields you are interested in. Following is a run anywhere search example based on the same data provided above. Instead of the makeresults and eval commands you would need to use your base search to test with the actual data. 

| makeresults
| eval _raw="job#1 2018/03/02 23:00:00 2018/03/02 23:01:00 SU
job#2 2018/03/02 23:01:01 2018/03/02 23:01:50 SU
job#3 2018/03/02 23:02:01 2018/03/02 23:03:50 FA"
| rex "job#(?<job_num>[^\s]+)\s(?<start_time>\d{4}\/\d{2}\/\d{2}\s\d{2}:\d{2}:\d{2})\s(?<end_time>\d{4}\/\d{2}\/\d{2}\s\d{2}:\d{2}:\d{2})\s(?<status>\w+)" max_match=0

PS: For testing and picking up on regular expressions you should check out regex101.com

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

timrich66
Communicator
‎03-06-2018 08:11 AM

Thanks,@niketnilay, I've got that working now.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-07-2018 02:53 AM

@timrich66, glad you got it working. Please accept the answer to mark this question as answered.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...