Can you explain the part rex field=_raw "(?i).log:(?P[^,]+)" of regex

You can create your own regex statement or you can use splunk's exact field option to get the same. I have used it to get the value.

Please mark it as an answer if it solved your problem.

Thank you it is working.Can you explain search query completely.

In your case splunk should automatically retrieve the timestamp from the log details. Even if you want to get it manually the search should be like the above one. I have updated the query in the answer. I am not aware if you are dividing the events or not, the timestamp can also be extracted from the log itself to assign it to the event time.

20131209.dbg-11-trc-0.log:2013-12-09 17:52:04,021 [13771377] SUCCESS: Scan successful
I want the result
timestamp
november 2013

could you provide us a sample log file?
we could see the extraction derive the timestamp.

No i have problem with the statement timestamp=strftime(m,"%b %d %Y") i couldn't derive both strptime(timestamp,"%Y-%m-%d") and strftime(m,"%b %d %Y") so i m getting no result

So are you getting the correct strptime?

i tried with what you said kristian.it's extracting the corect part of timestamp from the log.But timestamp=strftime(m,"%b %d %Y")is not working properly i think and so i am getting no results.

What linu1988 describes is the correct method. However, there is a slight error in the rex statement, where the backslashes are missing, probably through a copy-paste error. The following is probably more correct;

rex ":(?<timestamp>\S+)\s"

But you should also verify that the rex actually extracts the correct part of your events - otherwise the strptime/strftime functions won't work.

I am getting no results after running this search query.Can you please resolve