interesting regex

dbcase · ‎07-12-2018

Hi,

I have data that looks like this

2018-06-11 23:37:11,035 pool-10-thread-1 DEBUG c.i.w.i.s.WholesaleCVRService

2018-06-11 23:37:09,386 pool-10-thread-1 DEBUG c.i.w.i.s.WholesaleCVRService - In register camera update event, with accessToken 

2018-06-11 23:37:07,763 pool-10-thread-1 DEBUG c.i.w.i.s.WholesaleCVRService - Reponse of camera update event

I need to be able to extract out the date and time on each event . (i.e. 2018-06-11 23:37:11,035)

cpetterborg · ‎07-12-2018

If the data is going into Splunk correctly, then you should have the time in the variable _time as well as getting access to each of the fields named date_* for the year, month, day, hour, minute, second. You would not get the sub-second value automatically. The _time field can be output in any number of formats. So you should have that same data available to you without having to use a regex.

If on the other hand you have need of that date specifically, then you can use a regex (like that provided by @kamiesh_veghela). Do you need that date broken up into different fields? If so, that is another regex, but can be done easily enough.

kamlesh_vaghela · ‎07-12-2018

@dbcase,

Are you looking for this?

| makeresults | eval _raw="2018-06-11 23:37:07,763 pool-10-thread-1 DEBUG c.i.w.i.s.WholesaleCVRService - Reponse of camera update event " | rex field=_raw "(?<my_date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3})" | table my_date

dbcase · ‎07-12-2018

Thanks Kamlesh! that works!!!!

richgalloway · ‎01-12-2019

@dbcase If your problem is resolved, please accept the answer to help future readers and to give the answerer the promised Karma points.

---
If this reply helps you, Karma would be appreciated.

kamlesh_vaghela · ‎07-12-2018

Great!!
Can you please accept the answer to close this question?

interesting regex

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!