This is my log file
Timestamp Event
5/22/14 10:32:15.000 AM [2014-05-22T05:02:15.000+00:00] [oracle] [NOTIFICATION:1] [] [] [ecid: 00^sq] [tid: 1604] [36007] Loading repository.
Here it show Timestamp 5/22/14 10:32:15.000 AM But the actual timestamp is 2014-05-22T05:02:15.000+00:00 which should be 5/22/14 05:02:15.000 AM exactly 5.30 hours it is increasing for all the event what may be the reason behind this?
Thanks
Gajanan Hiroji
Depends on what you're looking for but here's some examples:
Regex capture group for date and time
^(\d{4}-\d{2}-\d{2})T(\d{2}:\d{2}:\d{2}\.\d{3})-\d{2}:\d{2}
Splunk rex command for extracting date and time
| rex field=_raw ^(?<Date>\d{4}-\d{2}-\d{2})T(?<Time>\d{2}:\d{2}:\d{2}\.\d{3})-\d{2}:\d{2}
In props.conf, you'll want something like TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N
Also, there isn't a word "TO" in there, it's just the letter T and the zero. It's not the letter O.
This is my log file
Timestamp Event
5/22/14 10:32:15.000 AM [2014-05-22T05:02:15.000+00:00] [oracle] [NOTIFICATION:1] [] [] [ecid: 00^sq] [tid: 1604] [36007] Loading repository.
Here it show Timestamp 5/22/14 10:32:15.000 AM But the actual timestamp is 2014-05-22T05:02:15.000+00:00 which should be 5/22/14 05:02:15.000 AM exactly 5.30 hours it is increasing for all the event what may be the reason behind this?
Thanks
Gajanan Hiroji
But when i try to do field extract with the same Regex it shows Regex does not extract any named fields. I tried removing last part of regex that is -\d{2}:\d{2} because it was not required for me. Am I going wrong somewhere?