Hey,
I know it is a seriously simple question but I am having a hard time with the below timestamp extraction.
the log looks like :-
01.04.14 11:09:24 AM [Storage 1312312312] skfnskfnksfnksdnfsdnfksdnfksdnflksdnfklsdf
I am defining my source type for this as :-
BREAK_ONLY_BEFORE=\d{1,2}.\d{1,2}.\d{1,2} \d{1,2}\:\d{1,2}\:\d{1,2} [APap][Mm] [
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
TIME_FORMAT=%d.%m.%Y %I\:%M\:%S %p
TZ=Australia/Sydney
If you notice that I have got a backslash between the hour and minute digits. So I tried escaping it out with another backslash. I have also tried it without escaping it out as well. In both the cases Splunk only extracts the date and no proper time is getting extracted.
Are escaping allowed in TIME_FORMAT field? If yes what I am doing wrong here...can someone please provide some pointer.
Thanks
BREAK_ONLY_BEFORE=\d{2}\.\d{2}\.\d{2}\s+\d{1,2}\\:\d{1,2}\\:\d{1,2}\s+[APap][Mm]
TIME_FORMAT=%m.%d.%y %I\:%M\:%S %p
You were using %Y not %y
This worked. Thanks a lot JKAT54.
Can you please mark my answer as the solution? Thanks! - Jkat54
BREAK_ONLY_BEFORE=\d{2}\.\d{2}\.\d{2}\s+\d{1,2}\\:\d{1,2}\\:\d{1,2}\s+[APap][Mm]
TIME_FORMAT=%m.%d.%y %I\:%M\:%S %p
You were using %Y not %y
How can I do this silly mistake ....
Anyways yes that was the only problem. Thanks a lot JKAT54.
Maybe add this to the end to fix your "\:"
SEDCMD=s/\\:/:/g
I just noticed that while posting I mentioned double backslash - one is there in the time string and another one i used to escape out. Looks like the formatting on the webpage already escaped it while presenting.
Actually the time format is like : dd.mm.yyyy hh\:mm\:ss AM so here you can see that I hace got backslash inbetween the hh and :mm
I dont see any problem with break before field but when i used the same technique for time format it did not work even after using the correct strftime. I have tried both ways -one by escaping it using additional backslash and without it as well.
It should not be necessary to escape the colon characters in either the TIME_FORMAT or BREAK_ONLY_BEFORE statements. Try this regex in BREAK_ONLY_BEFORE to see if it makes a difference:
\d{1,2}\.\d{1,2}\.\d{1,2} \d{1,2}:\d{1,2}:\d{1,2} [APap][Mm] \[