Hi,
I have a uploaded a csv file and in splunk event looks like as below:
Anyone can help me to split time into date and time from time = 2016-07-20 10:00:00+1000.
And source format is -yyyy.mm.dd-hh_mm_ss.csv, the first word is hostname of the servers from where logs collected and converted into csv file, is it possible to fetch hostname from source by using regex, how?
"GTP_C2-12",33,2016-07-20 10:00:00+1000,300073,0.246,0.000,0.000,0.020,0.000,0.023,0,0,0.000,0.000,0.020,2
avgRecordDuration = 0.246 host = rh4 index = probe_data *source = exhi7g10 SessionTrackingStats-2016.07.19-10_00_01.csv** time = 2016-07-20 10:00:00+1000 totalOpenSessions = 2*
Thanks in advance.
Thanks
Rajeev
To separate date and time, try this
... | rex field=time "(?<date>[^\s]*)\s+(?<time>.*)" | ...
Getting the host name from the source field is similar.
... | rex field=source "(?<hostName>[^\s]*)" | ...
For date/time, if you intend to use it for date/time calculations, you will need to convert it. Try this
... | rex field=t "time = (?<dtm>[^\s]+\s[^\s]+)" | eval date=strftime(strptime(dtm, "%Y-%m-%d %H:%M:%S"), "%Y-%m-%d") | eval time=strftime(strptime(dtm, "%Y-%m-%d %H:%M:%S"), "%H:%M:%S") | table t dtm date time
And for host name
... | rex field=source "^(?<host>\w+)" | ...
Thanks, regex is useful in converting date/time format.
To separate date and time, try this
... | rex field=time "(?<date>[^\s]*)\s+(?<time>.*)" | ...
Getting the host name from the source field is similar.
... | rex field=source "(?<hostName>[^\s]*)" | ...
Thanks, it's very useful.