Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use regex on a known date field

jamescasey2
New Member
‎12-01-2017 09:54 AM

First, new to regex, so don't really know where to start. I've done some Google searching and up and down Splunk Answers.

I am creating a POC to search data and it has a known date field. The date field can be populated as d/m/yyyy, dd/m/yyyy, d/mm/yyyy, or dd/mm/year. It always follows the format of day/month/year separated by slashes.

Examples:
1/1/2017
1/11/2017
11/1/2017
11/11/2017

What I would like to do is extract that day month and year as independent pieces to analyze. Id like to extract values based on the slash.

Start point: FiledDate = m/d/yyyy
End point: FiledDateMonth = m , FiledDateDay = d , FiledDayYear = yyyy

Thanks for your help.

0 Karma
Reply

woodcock
Esteemed Legend
‎12-01-2017 01:27 PM

If you indexed it properly with TIME_FORMAT = %m/%d/%Y, then you can just do this:

| eval date_month=strftime(_time, "%m")
| eval date_mday=strftime(_time, "%d")
| eval date_year=strftime(_time, "%Y")
0 Karma
Reply

somesoni2
Revered Legend
‎12-01-2017 10:33 AM

There can be multiple methods for it.

Using rex command

your search with field FiledDate | rex field=FiledDate "(?<FiledDateDay>\d+)\/(?<FiledDateMonth>\d+)\/(?<FiledDateYear>\d+)"

Using time conversion commands

your search with field FiledDate | eval temp=strptime(FiledDate,"%d/%m/%Y") | eval FiledDateDay=stftime(temp,"%d") | eval FiledDateMonth=stftime(temp,"%m") | eval FiledDateYear=stftime(temp,"%Y")

Using String split command

your search with field FiledDate | eval FiledDateDay=mvindex(split(FiledDate,"/"),0) | eval FiledDateMonth=mvindex(split(FiledDate,"/"),1)| eval FiledDateYear=mvindex(split(FiledDate,"/"),2)
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎12-01-2017 10:30 AM

Use the following :

(?P<FiledDateMonth>\d+)/(?P<FiledDateDay>\d+)/(?P<FiledDayYear>\d{4})

It will match all of your data parameters. In a rex command it would look like this:

... | rex field=FiledDate "(?P<FiledDateMonth>\d+)/(?P<FiledDateDay>\d+)/(?P<FiledDayYear>\d{4})"
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top