Solved: Using regex on Extracted field

373782073 · ‎01-08-2020

Hi,
I have incoming syslog events for which I've used the Field Extraction wizard in SPLUNK to separate a the filename of the events which results in the field values look like this:

abc-servicen.City-backup-1986-01-08-16:00:43-level1.tar

I would like to eventually extract and tabulate the filename (I've called it bkp_filename when I extracted this field earlier) as well as the date YYYY-MM-DD for each filename in a separate field (call it bkp_file_date).

Can anyone suggest how to use regex or an in-built function to achieve the date extraction into a separate field or column?

Thanks

MuS · ‎01-08-2020

Hi 373782073,

Give this a try:

| makeresults 
| eval example="abc-servicen.City-backup-1986-01-08-16:00:43-level1.tar" 
| rex field=example "(?<bkp_filename>[a-zA-Z-\.]+)-(?<bkp_file_date>\d{4}-\d{2}-\d{2})"

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎01-08-2020

Hi 373782073,

Give this a try:

| makeresults 
| eval example="abc-servicen.City-backup-1986-01-08-16:00:43-level1.tar" 
| rex field=example "(?<bkp_filename>[a-zA-Z-\.]+)-(?<bkp_file_date>\d{4}-\d{2}-\d{2})"

Hope this helps ...

cheers, MuS

373782073 · ‎01-08-2020

Great. I was able to add the rex statement to my existing search and strip the info I wanted into separate fields.
Thanks a lot!

niketn · ‎01-08-2020

@373782073 is the above example the backup file name bkp_filename from which you need to extract date?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

373782073 · ‎01-08-2020

Yes this is the field extracted which has the date embedded

Using regex on Extracted field

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023

Platform Newsletter Highlights | March 2023