Hi All
I have a log file which contain some information that I need. I would like to extract the date_time which I highlighted as bold.
29/03/2014 15:39:56,CALL_FAILED,VOICE,+6111223344,tel:+6133445566,29/03/2014 14:04:33
I tried to use this command, but it doesn't work for me. Any advise?
My_base_search | rex field=_raw "(?<end>\d+\.\d+\.\d+\s\d+\.\d+\.\d+),\w*,\w*,\.\d*,\w*\.\.\d+,(?<begin>\d+\.\d+\.\d+\.\d+\s\d+\.\d+\.\d+)" | eval "Begin"=begin | eval "End"=end | table "Begin", "End"
Your regex contains . characters ("backslash dot" is evaluated to a literal .
) which are not in your search term; you have forward slashes however. This should work:
(?<end>\d+\/\d+\/\d+\s\d+\:\d+\:\d+),.*,(?<begin>\d+\/\d+\/\d+\s\d+\:\d+\:\d+)
Always try your regular expressions online, for example at regex101. It helps a lot as you always see exactly what happens.
here is my proposition
........| rex field=_raw "^(?P<end>[^,]+)[^:\n]*:\+\d+,(?P<begin>.+)"|table begin end
Thanks, your solution is working for me toooooo!
answers.splunk.com/answers/231450/regex-i-want-to-match-a-string-and-then-extract-th.html#answer-231454
Your regex contains . characters ("backslash dot" is evaluated to a literal .
) which are not in your search term; you have forward slashes however. This should work:
(?<end>\d+\/\d+\/\d+\s\d+\:\d+\:\d+),.*,(?<begin>\d+\/\d+\/\d+\s\d+\:\d+\:\d+)
Always try your regular expressions online, for example at regex101. It helps a lot as you always see exactly what happens.
Thanks, for sharing this answer and the regex101 is awesome!
Hi @mhng
If you're interested in other regex tools, check out this previous Splunk Answers post where different users shared their favorite online (and 1 offline) regex resources.
http://answers.splunk.com/answers/153171/is-there-any-online-regex-tool-to-create-regular-e.html