Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Please help with Date extraction from below string

bhaskar5428
Explorer
‎03-24-2022 12:13 AM

i have system column "_time" with below output 

2022-03-16 11:12:18.723

i would like segregate date and time by rex command 

output should be like this with new column name 

Date = 2022-03-16

Time = 11:12:18

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-24-2022 12:57 AM

If it is already in the _time field, it is probably already in epoch time format, so try this

| eval Date=strftime(_time,"%F")
| eval Time=strftime(_time,"%T")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bhaskar5428
Explorer
‎03-24-2022 01:15 AM

index=app_events_fx4cash_uk_prod source=*STPManager-servicemanagement.20220316-111218.log*
| rex field=_time "^(?<date>\d\d\d\d-\d\d-\d\d)\s+(?<time>\d\d:\d\d:\d\d\.\d\d\d"
| table date,time

am using this but getting error 

Error in 'rex' command: Encountered the following error while compiling the regex '^(?<date>\d\d\d\d-\d\d-\d\d)\s+(?<time>\d\d:\d\d:\d\d\.\d\d\d': Regex: missing closing parenthesis.
The search job has failed due to an error. You may be able view the job in the 
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-24-2022 01:23 AM

Hi @bhaskar5428,

sorry I missed a paranthesi at the end of the regex, please try this:

| rex field=_time "^(?<date>\d\d\d\d-\d\d-\d\d)\s+(?<time>\d\d:\d\d:\d\d\.\d\d\d)"

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-24-2022 12:57 AM

If it is already in the _time field, it is probably already in epoch time format, so try this

| eval Date=strftime(_time,"%F")
| eval Time=strftime(_time,"%T")
0 Karma
Reply
Solved! Jump to solution

bhaskar5428
Explorer
‎03-24-2022 01:26 AM

Thanks , it worked 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-24-2022 12:54 AM

Hi @bhaskar5428,

let me understand: are you spoeaking of search time extraction or timestamp configuration?

if search time extraction, you could use a regex like this:

| rex "^(?<date>\d\d\d\d-\d\d-\d\d)\s+(?<time>\d\d:\d\d:\d\d\.\d\d\d"

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...