Splunk Search

Why is my current regex not extracting date and time fields from my log data?

mhng
New Member

Hi All

I have a log file which contain some information that I need. I would like to extract the date_time which I highlighted as bold.
29/03/2014 15:39:56,CALL_FAILED,VOICE,+6111223344,tel:+6133445566,29/03/2014 14:04:33

I tried to use this command, but it doesn't work for me. Any advise?

  My_base_search | rex field=_raw "(?<end>\d+\.\d+\.\d+\s\d+\.\d+\.\d+),\w*,\w*,\.\d*,\w*\.\.\d+,(?<begin>\d+\.\d+\.\d+\.\d+\s\d+\.\d+\.\d+)" | eval "Begin"=begin | eval "End"=end | table "Begin", "End"
0 Karma
1 Solution

jeffland
SplunkTrust
SplunkTrust

Your regex contains . characters ("backslash dot" is evaluated to a literal .) which are not in your search term; you have forward slashes however. This should work:

(?<end>\d+\/\d+\/\d+\s\d+\:\d+\:\d+),.*,(?<begin>\d+\/\d+\/\d+\s\d+\:\d+\:\d+)

Always try your regular expressions online, for example at regex101. It helps a lot as you always see exactly what happens.

View solution in original post

stephanefotso
Motivator

here is my proposition

........| rex field=_raw "^(?P<end>[^,]+)[^:\n]*:\+\d+,(?P<begin>.+)"|table  begin end
SGF

mhng
New Member

Thanks, your solution is working for me toooooo!

0 Karma

stephane_cyrill
Builder

answers.splunk.com/answers/231450/regex-i-want-to-match-a-string-and-then-extract-th.html#answer-231454

0 Karma

jeffland
SplunkTrust
SplunkTrust

Your regex contains . characters ("backslash dot" is evaluated to a literal .) which are not in your search term; you have forward slashes however. This should work:

(?<end>\d+\/\d+\/\d+\s\d+\:\d+\:\d+),.*,(?<begin>\d+\/\d+\/\d+\s\d+\:\d+\:\d+)

Always try your regular expressions online, for example at regex101. It helps a lot as you always see exactly what happens.

mhng
New Member

Thanks, for sharing this answer and the regex101 is awesome!

0 Karma

ppablo
Retired

Hi @mhng

If you're interested in other regex tools, check out this previous Splunk Answers post where different users shared their favorite online (and 1 offline) regex resources.
http://answers.splunk.com/answers/153171/is-there-any-online-regex-tool-to-create-regular-e.html

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...