Splunk Search

regex to split time/date from field in lookup for timechart

nathanluke86
Communicator

I have a lookup and would like to extract the date for a time chart

alt text

TIA

Tags (1)
0 Karma
1 Solution

vnravikumar
Champion

Hi @nathanluke86

Try the below rex

| makeresults 
| eval whenCreated="04:25.45 PM, Thu 10/01/2015" 
| rex field=whenCreated "(?P<date>\d{2}\/\d{2}\/\d{4}$)"

View solution in original post

vnravikumar
Champion

Hi @nathanluke86

Try the below rex

| makeresults 
| eval whenCreated="04:25.45 PM, Thu 10/01/2015" 
| rex field=whenCreated "(?P<date>\d{2}\/\d{2}\/\d{4}$)"

nathanluke86
Communicator

Took line 3 from above Thanks

0 Karma

oscar84x
Contributor

Hello. Try this:

| makeresults 
| eval timeStamp="04:24.45 PM, Thu 10/01/2015"
| rex field=timeStamp "(?<time>\d+:\d+\.\d+\s\w+)\,\s\w+\s(?<date>\d+\/\d+\/\d+)"
0 Karma

manjunathmeti
Champion

Try:
| rex field=whenCreated "(?[\d:.\sAPM]+),\s\w{3}\s(?[\d/]+)"

Sample query:

| makeresults | eval whenCreated="04:25.45 PM, Thu 10/01/2015" | rex field=whenCreated "(?<time>[\d:.\sAPM]+),\s\w{3}\s(?<date>[\d/]+)"

nathanluke86
Communicator

@oscar84x @manjunathmeti @vnravikumar

I have multiple dates in the whenCreated column in the lookup (240 results all different times).

What I am trying to achieve is to just use the results of the lookup using two fields

timechart user by whenCreated if that make sense

TIA

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...