Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my current regex not extracting date and time fields from my log data?

mhng
New Member
‎04-21-2015 01:28 AM

Hi All

I have a log file which contain some information that I need. I would like to extract the date_time which I highlighted as bold.
29/03/2014 15:39:56,CALL_FAILED,VOICE,+6111223344,tel:+6133445566,29/03/2014 14:04:33

I tried to use this command, but it doesn't work for me. Any advise?

  My_base_search | rex field=_raw "(?<end>\d+\.\d+\.\d+\s\d+\.\d+\.\d+),\w*,\w*,\.\d*,\w*\.\.\d+,(?<begin>\d+\.\d+\.\d+\.\d+\s\d+\.\d+\.\d+)" | eval "Begin"=begin | eval "End"=end | table "Begin", "End"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎04-21-2015 01:43 AM

Your regex contains . characters ("backslash dot" is evaluated to a literal .) which are not in your search term; you have forward slashes however. This should work:

(?<end>\d+\/\d+\/\d+\s\d+\:\d+\:\d+),.*,(?<begin>\d+\/\d+\/\d+\s\d+\:\d+\:\d+)

Always try your regular expressions online, for example at regex101. It helps a lot as you always see exactly what happens.

View solution in original post

Reply
Solved! Jump to solution

stephanefotso
Motivator
‎04-21-2015 01:47 AM

here is my proposition

........| rex field=_raw "^(?P<end>[^,]+)[^:\n]*:\+\d+,(?P<begin>.+)"|table  begin end
SGF
Reply
Solved! Jump to solution

mhng
New Member
‎04-21-2015 05:58 AM

Thanks, your solution is working for me toooooo!

0 Karma
Reply
Solved! Jump to solution

stephane_cyrill
Builder
‎04-21-2015 01:44 AM

answers.splunk.com/answers/231450/regex-i-want-to-match-a-string-and-then-extract-th.html#answer-231454

0 Karma
Reply
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎04-21-2015 01:43 AM

Your regex contains . characters ("backslash dot" is evaluated to a literal .) which are not in your search term; you have forward slashes however. This should work:

(?<end>\d+\/\d+\/\d+\s\d+\:\d+\:\d+),.*,(?<begin>\d+\/\d+\/\d+\s\d+\:\d+\:\d+)

Always try your regular expressions online, for example at regex101. It helps a lot as you always see exactly what happens.

Reply
Solved! Jump to solution

mhng
New Member
‎04-21-2015 05:58 AM

Thanks, for sharing this answer and the regex101 is awesome!

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎04-21-2015 11:57 AM

Hi @mhng

If you're interested in other regex tools, check out this previous Splunk Answers post where different users shared their favorite online (and 1 offline) regex resources.
http://answers.splunk.com/answers/153171/is-there-any-online-regex-tool-to-create-regular-e.html

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...