Splunk Search

regex to split date and time from combined datetime.

rajeev_ku
Path Finder

Hi,

I have a uploaded a csv file and in splunk event looks like as below:

Anyone can help me to split time into date and time from time = 2016-07-20 10:00:00+1000.
And source format is -yyyy.mm.dd-hh_mm_ss.csv, the first word is hostname of the servers from where logs collected and converted into csv file, is it possible to fetch hostname from source by using regex, how?

"GTP_C2-12",33,2016-07-20 10:00:00+1000,300073,0.246,0.000,0.000,0.020,0.000,0.023,0,0,0.000,0.000,0.020,2
avgRecordDuration = 0.246 host = rh4 index = probe_data *
source = exhi7g10 SessionTrackingStats-2016.07.19-10_00_01.csv** time = 2016-07-20 10:00:00+1000 totalOpenSessions = 2*

Thanks in advance.

Thanks
Rajeev

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

To separate date and time, try this

... | rex field=time "(?<date>[^\s]*)\s+(?<time>.*)" | ...

Getting the host name from the source field is similar.

... | rex field=source "(?<hostName>[^\s]*)" | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

sundareshr
Legend

For date/time, if you intend to use it for date/time calculations, you will need to convert it. Try this

... | rex field=t "time = (?<dtm>[^\s]+\s[^\s]+)" | eval date=strftime(strptime(dtm, "%Y-%m-%d %H:%M:%S"), "%Y-%m-%d") | eval time=strftime(strptime(dtm, "%Y-%m-%d %H:%M:%S"), "%H:%M:%S") | table t dtm date time

And for host name

... | rex field=source "^(?<host>\w+)" | ...
0 Karma

rajeev_ku
Path Finder

Thanks, regex is useful in converting date/time format.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

To separate date and time, try this

... | rex field=time "(?<date>[^\s]*)\s+(?<time>.*)" | ...

Getting the host name from the source field is similar.

... | rex field=source "(?<hostName>[^\s]*)" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

rajeev_ku
Path Finder

Thanks, it's very useful.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...