Splunk Search

Why is my current regex not extracting date and time fields from my log data?

mhng
New Member

Hi All

I have a log file which contain some information that I need. I would like to extract the date_time which I highlighted as bold.
29/03/2014 15:39:56,CALL_FAILED,VOICE,+6111223344,tel:+6133445566,29/03/2014 14:04:33

I tried to use this command, but it doesn't work for me. Any advise?

  My_base_search | rex field=_raw "(?<end>\d+\.\d+\.\d+\s\d+\.\d+\.\d+),\w*,\w*,\.\d*,\w*\.\.\d+,(?<begin>\d+\.\d+\.\d+\.\d+\s\d+\.\d+\.\d+)" | eval "Begin"=begin | eval "End"=end | table "Begin", "End"
0 Karma
1 Solution

jeffland
SplunkTrust
SplunkTrust

Your regex contains . characters ("backslash dot" is evaluated to a literal .) which are not in your search term; you have forward slashes however. This should work:

(?<end>\d+\/\d+\/\d+\s\d+\:\d+\:\d+),.*,(?<begin>\d+\/\d+\/\d+\s\d+\:\d+\:\d+)

Always try your regular expressions online, for example at regex101. It helps a lot as you always see exactly what happens.

View solution in original post

stephanefotso
Motivator

here is my proposition

........| rex field=_raw "^(?P<end>[^,]+)[^:\n]*:\+\d+,(?P<begin>.+)"|table  begin end
SGF

mhng
New Member

Thanks, your solution is working for me toooooo!

0 Karma

stephane_cyrill
Builder

answers.splunk.com/answers/231450/regex-i-want-to-match-a-string-and-then-extract-th.html#answer-231454

0 Karma

jeffland
SplunkTrust
SplunkTrust

Your regex contains . characters ("backslash dot" is evaluated to a literal .) which are not in your search term; you have forward slashes however. This should work:

(?<end>\d+\/\d+\/\d+\s\d+\:\d+\:\d+),.*,(?<begin>\d+\/\d+\/\d+\s\d+\:\d+\:\d+)

Always try your regular expressions online, for example at regex101. It helps a lot as you always see exactly what happens.

mhng
New Member

Thanks, for sharing this answer and the regex101 is awesome!

0 Karma

ppablo
Retired

Hi @mhng

If you're interested in other regex tools, check out this previous Splunk Answers post where different users shared their favorite online (and 1 offline) regex resources.
http://answers.splunk.com/answers/153171/is-there-any-online-regex-tool-to-create-regular-e.html

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...