Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Using regex on Extracted field
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
373782073
Explorer
01-08-2020
05:18 PM
Hi,
I have incoming syslog events for which I've used the Field Extraction wizard in SPLUNK to separate a the filename of the events which results in the field values look like this:
abc-servicen.City-backup-1986-01-08-16:00:43-level1.tar
I would like to eventually extract and tabulate the filename (I've called it bkp_filename when I extracted this field earlier) as well as the date YYYY-MM-DD for each filename in a separate field (call it bkp_file_date).
Can anyone suggest how to use regex or an in-built function to achieve the date extraction into a separate field or column?
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
01-08-2020
05:32 PM
Hi 373782073,
Give this a try:
| makeresults
| eval example="abc-servicen.City-backup-1986-01-08-16:00:43-level1.tar"
| rex field=example "(?<bkp_filename>[a-zA-Z-\.]+)-(?<bkp_file_date>\d{4}-\d{2}-\d{2})"
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
01-08-2020
05:32 PM
Hi 373782073,
Give this a try:
| makeresults
| eval example="abc-servicen.City-backup-1986-01-08-16:00:43-level1.tar"
| rex field=example "(?<bkp_filename>[a-zA-Z-\.]+)-(?<bkp_file_date>\d{4}-\d{2}-\d{2})"
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
373782073
Explorer
01-08-2020
05:46 PM
Great. I was able to add the rex statement to my existing search and strip the info I wanted into separate fields.
Thanks a lot!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
01-08-2020
05:31 PM
@373782073 is the above example the backup file name bkp_filename from which you need to extract date?
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
373782073
Explorer
01-08-2020
05:33 PM
Yes this is the field extracted which has the date embedded
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
