Getting Data In

TIME_PREFIX

shangshin
Builder

I have an autosys log with 4 columns (JobName|Start|End|Status) and would like to add them in splunk.

Check_Job|05/22/2012 02:09:17|05/22/2012 02:09:18|SUCCESS
Extract_Job|05/22/2012 03:09:17|05/22/2012 03:09:18|SUCCESS
Database_Job|05/22/2012 02:09:17||RUNNING

Two questions --

  1. How can I set the primary event time to be end time (column 3)? Can I use TIME_PREFIX=\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}
  2. Is it possible to set a secondary event time?
Tags (2)
0 Karma
1 Solution

sdaniels
Splunk Employee
Splunk Employee

This link has an example that I included on your previous question. Splunk will only use one timestamp to represent the event time.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Configurepositionaltimestampextraction

Once you get the regex ok for the TIME_PREFIX you will also need to set MAX_TIMESTAMP_LOOKAHEAD. In this case i think set it to 50.

View solution in original post

0 Karma

sdaniels
Splunk Employee
Splunk Employee

This link has an example that I included on your previous question. Splunk will only use one timestamp to represent the event time.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Configurepositionaltimestampextraction

Once you get the regex ok for the TIME_PREFIX you will also need to set MAX_TIMESTAMP_LOOKAHEAD. In this case i think set it to 50.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

not sure if those will apply to anything other than the indexed _time for the event but i'm not sure exactly what you are referencing. You can caluculate the time now() in epoch time and do conversions i think...just not as elegant a solution. http://splunk-base.splunk.com/answers/117/how-do-i-get-the-current-time

0 Karma

shangshin
Builder

relative_time will do the magic. I am good. thanks!

0 Karma

shangshin
Builder

Let me rephrase. Is there any function like this?

index=gops STATUS=closed | eval close_date=strptime(CLOSE_DATE,"%m/%d/%y %H:%M") | where close_date>datediff (@now, -30m)

0 Karma

shangshin
Builder

This is not a bad solution. Is it possible to use relative time for the function strptime? (e.g. -30m or -2h)
The reason I am asking this is because I need to set up an alert and using a specific time won't be feasible.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Yes, that makes it more challenging. I think this is what you were looking for...manipulating the second date field anyways and leaving the current time stamp as is.

http://splunk-base.splunk.com/answers/4249/searching-mulitple-time-fields-within-a-record

shangshin
Builder

The string length of the first column, job name, is between 3 - 60 characters. How can I be sure splunk won't pick start time as the event time knowing the timestamp format of start and end time is identical?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...