Splunk Search

Custom _time extraction

responsys_cm
Builder

I would like to use a field in my event data for the _time field. It looks like:

<LAST_UPDATE><![CDATA[2012-06-14T21:16:28Z]]></LAST_UPDATE>

I tried the following in props.conf to extract that time field:

TIME_PREFIX = (?i)^\s+\<LAST_UPDATE\>\<!\[CDATA\[

How can I make use this field for the _time value?

Thx.

Craig

Tags (1)
0 Karma

responsys_cm
Builder

Thanks, Ayn. Yeah, that's what the line of XML looks like. The characters appear like they do in the event.

0 Karma

sowings
Splunk Employee
Splunk Employee

It might be the \s+ at the beginning tripping up the regex.

You might also consider adding a TIME_PREFIX to give Splunk a leg up on guessing the proper format for your events.

Another possibility is that your time stamp string might be past the default "how far ahead do I look?" limit. That default is 150 characters, and is set by MAX_TIMESTAMP_LOOKAHEAD in props.conf.

Finally, if the event stream for this event contains other events that are in say, standard syslog format, with a timestamp at the leading position in the line, Splunk might "home in" on that timestamp format, preferring it over the one you've specified here. In general, you should try to group events with similar timestamp formats into like inputs. That is, if events A B and C all go into the same file monitored by inputs.conf, and only type C has the "different" timestamps, Splunk choose the format of events A and B, but be confused by C. You might have to resort to a search-time extraction, if this is the case.

Ayn
Legend

I reformatted your question a bit, but I'm unsure what you actually put in your regex and what you entered here to have the site display it correctly. Code blocks are indented with 4 spaces. Please have a look and edit it so it looks like it does in your events and conf files.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...