Solved: How to prevent scripted input grouping events by t...

temperuser · ‎06-19-2015

I have a script that executes every 5 minutes. It extracts date and time with props.conf:

EXTRACT-date = ^(?:[^\t\n]*\t){3}(?P<date>[^\t]+)
EXTRACT-time = ^(?:[^\t\n]*\t){4}(?P<time>[^\t]+)
TIMESTAMP_FIELDS = date,time
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TZ = GMT

I have time field with actually values of event time, but splunk timestamps are grouped by 5 minutes (script execution period). Why is it so, and how I can prevent this behaviour?

martin_mueller · ‎06-19-2015

That's not how timestamp extraction works. Without knowing your data format, I'd guess this might work:

[your_sourcetype]
TIME_PREFIX = ^([^\t\r\n]*\t){3}
TIME_FORMAT = %Y-%m-%d\t%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 30
TZ = GMT

Note, I didn't test if the tab between date and time needs to be a tab character or the baslash-tee of regex.

The basic Idea is to tell Splunk where to start looking, what to look for, and for how far to keep looking.
EXTRACT-foo is search-time field extraction, entirely unrelated to finding the timestamp at index time.

View solution in original post

martin_mueller · ‎06-19-2015

That's not how timestamp extraction works. Without knowing your data format, I'd guess this might work:

[your_sourcetype]
TIME_PREFIX = ^([^\t\r\n]*\t){3}
TIME_FORMAT = %Y-%m-%d\t%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 30
TZ = GMT

Note, I didn't test if the tab between date and time needs to be a tab character or the baslash-tee of regex.

The basic Idea is to tell Splunk where to start looking, what to look for, and for how far to keep looking.
EXTRACT-foo is search-time field extraction, entirely unrelated to finding the timestamp at index time.

How to prevent scripted input grouping events by time?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!