Solved: Please help with Date extraction from below string

bhaskar5428 · ‎03-24-2022

i have system column "_time" with below output

2022-03-16 11:12:18.723

i would like segregate date and time by rex command

output should be like this with new column name

Date = 2022-03-16

Time = 11:12:18

ITWhisperer · ‎03-24-2022

If it is already in the _time field, it is probably already in epoch time format, so try this

| eval Date=strftime(_time,"%F")
| eval Time=strftime(_time,"%T")

View solution in original post

bhaskar5428 · ‎03-24-2022

index=app_events_fx4cash_uk_prod source=*STPManager-servicemanagement.20220316-111218.log*
| rex field=_time "^(?<date>\d\d\d\d-\d\d-\d\d)\s+(?<time>\d\d:\d\d:\d\d\.\d\d\d"
| table date,time

am using this but getting error

Error in 'rex' command: Encountered the following error while compiling the regex '^(?<date>\d\d\d\d-\d\d-\d\d)\s+(?<time>\d\d:\d\d:\d\d\.\d\d\d': Regex: missing closing parenthesis.

The search job has failed due to an error. You may be able view the job in the

gcusello · ‎03-24-2022

Hi @bhaskar5428,

sorry I missed a paranthesi at the end of the regex, please try this:

| rex field=_time "^(?<date>\d\d\d\d-\d\d-\d\d)\s+(?<time>\d\d:\d\d:\d\d\.\d\d\d)"

Ciao.

Giuseppe

ITWhisperer · ‎03-24-2022

If it is already in the _time field, it is probably already in epoch time format, so try this

| eval Date=strftime(_time,"%F")
| eval Time=strftime(_time,"%T")

bhaskar5428 · ‎03-24-2022

Thanks , it worked

gcusello · ‎03-24-2022

Hi @bhaskar5428,

let me understand: are you spoeaking of search time extraction or timestamp configuration?

if search time extraction, you could use a regex like this:

| rex "^(?<date>\d\d\d\d-\d\d-\d\d)\s+(?<time>\d\d:\d\d:\d\d\.\d\d\d"

Ciao.

Giuseppe

Please help with Date extraction from below string

rex

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms