Splunk Search

Timestamp splitted in log files

bizza
Path Finder

Hi all,
I'm trying to extract the timestamp from a crappy unstructured logs.
Every event is one line with 300 character/digits, and field are in fixed position (example: from 1 to 10 means hostname, from 11 to 12 means status, and so on).
I need to compose my timestamp merging 2 different fields: from position 15 to 20 and from position 60 to 66.

Any hints?

Regards

Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Based on your example, the following regex will extract the date and time fields.

[\s\S]{13}(?<date>\d{8})[\s\S]{36}(?<time>\d{4})

You could then combine them at search time using eval ts=date.time.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Based on your example, the following regex will extract the date and time fields.

[\s\S]{13}(?<date>\d{8})[\s\S]{36}(?<time>\d{4})

You could then combine them at search time using eval ts=date.time.

---
If this reply helps you, Karma would be appreciated.

bizza
Path Finder

sourcetype="mysourcetype" | eval ts=date.time | eval _time = strptime(ts, "%Y%m%d%H%M") | timechart count by my_field

works great!

thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Assuming sourcetype=mysourcetype | eval ts=date.time | table date, time, ts produces results, you'll want to convert ts from a string into an integer using strptime() and use that value in your graph.

---
If this reply helps you, Karma would be appreciated.

bizza
Path Finder

I just need to graph data using ts (from eval) as timestamp

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Just how, exactly, are you trying to use the date and time fields?

---
If this reply helps you, Karma would be appreciated.
0 Karma

bizza
Path Finder

Yep, I restarted Splunk after that.
Using table command I see correctly date and time fields, and in the left column too, but I'm not able to use it as timestamp in my searches

0 Karma

somesoni2
SplunkTrust
SplunkTrust

sourcetype = mysourcetype | table date, time

Do you get values for fields date, time?
And hope you restarted/refreshed splunk after props.conf change.

0 Karma

bizza
Path Finder

I put in my props.conf, in the right sourcetype:
EXTRACT-extract_time = your_regex

And I searched
sourcetype = mysourcetype | eval ts=date.time

If it is supposed to work it don't.
What I'm missing?

0 Karma

bizza
Path Finder

Just an example, with 1 instead of orig digit and A instead of char, white space are actually the same.
Extracted timestamp shoud be 201404300833 in %Y%m&d%H%M format

1111111111 1.20140430AAA111 11AAAA AAAAA AA11111111111110833111A AAAAAAAAA 111111111 AAAAAAAA1111111

0 Karma

lukejadamec
Super Champion

Can you post an example of the first 75 characters?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...