- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Some RegEx help with date formatting
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some RegEx help with date formatting
I am extracting a date/time stamp out of some XML; however, I need to strip out the time from the string.
i.e. - 3/7/2012 2:25:52 PM (GMT) --> needs to be: 3/7/2012
What would the REGEX be and would that regex be in the props.conf or can it go in the search string?
Here is the entry in props = EXTRACT-CreateTimeStamp_GMT = (?i)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your XML looks something like this;
<blaha>BLAHA</blaha>
<createtimestampgmt>3/7/2012 2:25:52 PM (GMT)</createtimestampgmt>
<blaha2>BLAHA2</blaha2>
the following props.conf extract would get you the date only
EXTRACT-DateFromTimeStamp = (?i)<createtimestampgmt>(?P<createtimestamp_gmt>[^\s]+)
i.e. read everything from the end of the start tag up to the first whitespace character, and save it as (the somewhat odd name) createtimestamp_gmt
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
efelder0,
what do you mean by "date". date as in "MM/DD/YYYY" or date as "MM/DD/YYYY HH:MM:SS (AM|PM)"
i would opt to use [\d]{2}/[\d]{2}/[\d]{4} to grab MM/DD/YYYY just in case the space comes up missing (not likely, but you never know)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The REGEX would be the same, i.e.
[^\s]+
if your event text contains square brackets, you need to escape them, otherwise they will be treated as part of the regex, i.e. \[CDATA\[
Please mark the question as answered if this solved your problem. Thanks.
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that worked. However, I have another field that requires reformatting. But, this time I am doing my field extraction from the transforms.conf. For example, I am pulling a field called "IncidentTime" and its value is 12/11/2011 11:16:48 PM. Here is the entry in transforms.conf:
REGEX = (?i)
What would the new REGEX be to only include the date string? or would it be better to use the strptime function from within the search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not really sure what you are wanting
[\d]{1,2}/[\d]{1,2}/[\d]{4} will grab 3/7/2012 or 12/12/2012 , etc.
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
