Splunk Search

Why is my current regex not extracting date and time fields from my log data?

mhng
New Member

Hi All

I have a log file which contain some information that I need. I would like to extract the date_time which I highlighted as bold.
29/03/2014 15:39:56,CALL_FAILED,VOICE,+6111223344,tel:+6133445566,29/03/2014 14:04:33

I tried to use this command, but it doesn't work for me. Any advise?

  My_base_search | rex field=_raw "(?<end>\d+\.\d+\.\d+\s\d+\.\d+\.\d+),\w*,\w*,\.\d*,\w*\.\.\d+,(?<begin>\d+\.\d+\.\d+\.\d+\s\d+\.\d+\.\d+)" | eval "Begin"=begin | eval "End"=end | table "Begin", "End"
0 Karma
1 Solution

jeffland
SplunkTrust
SplunkTrust

Your regex contains . characters ("backslash dot" is evaluated to a literal .) which are not in your search term; you have forward slashes however. This should work:

(?<end>\d+\/\d+\/\d+\s\d+\:\d+\:\d+),.*,(?<begin>\d+\/\d+\/\d+\s\d+\:\d+\:\d+)

Always try your regular expressions online, for example at regex101. It helps a lot as you always see exactly what happens.

View solution in original post

stephanefotso
Motivator

here is my proposition

........| rex field=_raw "^(?P<end>[^,]+)[^:\n]*:\+\d+,(?P<begin>.+)"|table  begin end
SGF

mhng
New Member

Thanks, your solution is working for me toooooo!

0 Karma

stephane_cyrill
Builder

answers.splunk.com/answers/231450/regex-i-want-to-match-a-string-and-then-extract-th.html#answer-231454

0 Karma

jeffland
SplunkTrust
SplunkTrust

Your regex contains . characters ("backslash dot" is evaluated to a literal .) which are not in your search term; you have forward slashes however. This should work:

(?<end>\d+\/\d+\/\d+\s\d+\:\d+\:\d+),.*,(?<begin>\d+\/\d+\/\d+\s\d+\:\d+\:\d+)

Always try your regular expressions online, for example at regex101. It helps a lot as you always see exactly what happens.

mhng
New Member

Thanks, for sharing this answer and the regex101 is awesome!

0 Karma

ppablo
Retired

Hi @mhng

If you're interested in other regex tools, check out this previous Splunk Answers post where different users shared their favorite online (and 1 offline) regex resources.
http://answers.splunk.com/answers/153171/is-there-any-online-regex-tool-to-create-regular-e.html

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...