Solved: Using regex on Extracted field

373782073 · ‎01-08-2020

Hi,
I have incoming syslog events for which I've used the Field Extraction wizard in SPLUNK to separate a the filename of the events which results in the field values look like this:

abc-servicen.City-backup-1986-01-08-16:00:43-level1.tar

I would like to eventually extract and tabulate the filename (I've called it bkp_filename when I extracted this field earlier) as well as the date YYYY-MM-DD for each filename in a separate field (call it bkp_file_date).

Can anyone suggest how to use regex or an in-built function to achieve the date extraction into a separate field or column?

Thanks

MuS · ‎01-08-2020

Hi 373782073,

Give this a try:

| makeresults 
| eval example="abc-servicen.City-backup-1986-01-08-16:00:43-level1.tar" 
| rex field=example "(?<bkp_filename>[a-zA-Z-\.]+)-(?<bkp_file_date>\d{4}-\d{2}-\d{2})"

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎01-08-2020

Hi 373782073,

Give this a try:

| makeresults 
| eval example="abc-servicen.City-backup-1986-01-08-16:00:43-level1.tar" 
| rex field=example "(?<bkp_filename>[a-zA-Z-\.]+)-(?<bkp_file_date>\d{4}-\d{2}-\d{2})"

Hope this helps ...

cheers, MuS

373782073 · ‎01-08-2020

Great. I was able to add the rex statement to my existing search and strip the info I wanted into separate fields.
Thanks a lot!

niketn · ‎01-08-2020

@373782073 is the above example the backup file name bkp_filename from which you need to extract date?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

373782073 · ‎01-08-2020

Yes this is the field extracted which has the date embedded

Using regex on Extracted field

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies