Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use regex on a known date field

jamescasey2
New Member
‎12-01-2017 09:54 AM

First, new to regex, so don't really know where to start. I've done some Google searching and up and down Splunk Answers.

I am creating a POC to search data and it has a known date field. The date field can be populated as d/m/yyyy, dd/m/yyyy, d/mm/yyyy, or dd/mm/year. It always follows the format of day/month/year separated by slashes.

Examples:
1/1/2017
1/11/2017
11/1/2017
11/11/2017

What I would like to do is extract that day month and year as independent pieces to analyze. Id like to extract values based on the slash.

Start point: FiledDate = m/d/yyyy
End point: FiledDateMonth = m , FiledDateDay = d , FiledDayYear = yyyy

Thanks for your help.

0 Karma
Reply

woodcock
Esteemed Legend
‎12-01-2017 01:27 PM

If you indexed it properly with TIME_FORMAT = %m/%d/%Y, then you can just do this:

| eval date_month=strftime(_time, "%m")
| eval date_mday=strftime(_time, "%d")
| eval date_year=strftime(_time, "%Y")
0 Karma
Reply

somesoni2
Revered Legend
‎12-01-2017 10:33 AM

There can be multiple methods for it.

Using rex command

your search with field FiledDate | rex field=FiledDate "(?<FiledDateDay>\d+)\/(?<FiledDateMonth>\d+)\/(?<FiledDateYear>\d+)"

Using time conversion commands

your search with field FiledDate | eval temp=strptime(FiledDate,"%d/%m/%Y") | eval FiledDateDay=stftime(temp,"%d") | eval FiledDateMonth=stftime(temp,"%m") | eval FiledDateYear=stftime(temp,"%Y")

Using String split command

your search with field FiledDate | eval FiledDateDay=mvindex(split(FiledDate,"/"),0) | eval FiledDateMonth=mvindex(split(FiledDate,"/"),1)| eval FiledDateYear=mvindex(split(FiledDate,"/"),2)
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎12-01-2017 10:30 AM

Use the following :

(?P<FiledDateMonth>\d+)/(?P<FiledDateDay>\d+)/(?P<FiledDayYear>\d{4})

It will match all of your data parameters. In a rex command it would look like this:

... | rex field=FiledDate "(?P<FiledDateMonth>\d+)/(?P<FiledDateDay>\d+)/(?P<FiledDayYear>\d{4})"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...