Solved: Adding Multiple time stamp fields in props file so...

k_harini · ‎11-07-2016

I have a source file with multiple dates and timestamp as separate fields. I want to use last_changed and last_changed_time fields..
Both are in different format
last_changed = %d.%m.%Y
last_changed_time = %H:%M:%S %p

While defining sourcetype - Timestamp fields - last_changed,last_changed_time ... How to give timestamp format since 2 fields are present in timestamp fields? Please suggest!

gcusello · ‎11-07-2016

Hi k_harini,
if you could share an example will be more efficient.
Every way, if you have something like this:
01.11.2016|01.11.2016|02.11.2016|11:58:56 AM|11:58:57 AM|11:59:09 AM
and you need to take the first and the fourth fields, you could use in TIMESTAMP_FORMAT something like this %d.%m.%Y\|\d+\.\d+\.\d+\|\d+\.\d+\.\d+\|%H:%M:%S %p

Bye.
Giuseppe

View solution in original post

gcusello · ‎11-07-2016

Hi k_harini,
if you could share an example will be more efficient.
Every way, if you have something like this:
01.11.2016|01.11.2016|02.11.2016|11:58:56 AM|11:58:57 AM|11:59:09 AM
and you need to take the first and the fourth fields, you could use in TIMESTAMP_FORMAT something like this %d.%m.%Y\|\d+\.\d+\.\d+\|\d+\.\d+\.\d+\|%H:%M:%S %p

Bye.
Giuseppe

niketn · ‎11-07-2016

can you add some sample events?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Adding Multiple time stamp fields in props file sourcetype stanza

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...