Solved: Timestamp splitted in log files

bizza · ‎04-30-2014

Hi all,
I'm trying to extract the timestamp from a crappy unstructured logs.
Every event is one line with 300 character/digits, and field are in fixed position (example: from 1 to 10 means hostname, from 11 to 12 means status, and so on).
I need to compose my timestamp merging 2 different fields: from position 15 to 20 and from position 60 to 66.

Any hints?

Regards

richgalloway · ‎04-30-2014

Based on your example, the following regex will extract the date and time fields.

[\s\S]{13}(?<date>\d{8})[\s\S]{36}(?<time>\d{4})

You could then combine them at search time using eval ts=date.time.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎04-30-2014

Based on your example, the following regex will extract the date and time fields.

[\s\S]{13}(?<date>\d{8})[\s\S]{36}(?<time>\d{4})

You could then combine them at search time using eval ts=date.time.

---
If this reply helps you, Karma would be appreciated.

bizza · ‎04-30-2014

sourcetype="mysourcetype" | eval ts=date.time | eval _time = strptime(ts, "%Y%m%d%H%M") | timechart count by my_field

works great!

thanks

richgalloway · ‎04-30-2014

Assuming sourcetype=mysourcetype | eval ts=date.time | table date, time, ts produces results, you'll want to convert ts from a string into an integer using strptime() and use that value in your graph.

---
If this reply helps you, Karma would be appreciated.

bizza · ‎04-30-2014

I just need to graph data using ts (from eval) as timestamp

richgalloway · ‎04-30-2014

Just how, exactly, are you trying to use the date and time fields?

---
If this reply helps you, Karma would be appreciated.

bizza · ‎04-30-2014

Yep, I restarted Splunk after that.
Using table command I see correctly date and time fields, and in the left column too, but I'm not able to use it as timestamp in my searches

somesoni2 · ‎04-30-2014

sourcetype = mysourcetype | table date, time

Do you get values for fields date, time?
And hope you restarted/refreshed splunk after props.conf change.

bizza · ‎04-30-2014

I put in my props.conf, in the right sourcetype:
EXTRACT-extract_time = your_regex

And I searched
sourcetype = mysourcetype | eval ts=date.time

If it is supposed to work it don't.
What I'm missing?

bizza · ‎04-30-2014

Just an example, with 1 instead of orig digit and A instead of char, white space are actually the same.
Extracted timestamp shoud be 201404300833 in %Y%m&d%H%M format

1111111111 1.20140430AAA111 11AAAA AAAAA AA11111111111110833111A AAAAAAAAA 111111111 AAAAAAAA1111111

lukejadamec · ‎04-30-2014

Can you post an example of the first 75 characters?

Timestamp splitted in log files

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!