Solved: How can I propagate date+hour to each next event i...

Pharaon · ‎07-16-2018

Hi. I am a newborn splunk user. Logs come in the following format
--Format--
@@dd/mm/yyyy_HH
MMSS.msecond|Message...
....
@@dd/mm/yyyy_HH
MMSS.msecond|Message...

How can I capture date+hour and apply to each event at indexing time.
E.g. for the last message in the sample I need something like below
10/07/2018 21:48:17.112 MessageF

Or how to make Splunk recognize a timestamp properly when hour is linked to date and precise time is linked to each message?

Appreciate your help.

Pharaon · ‎07-18-2018

There is no easy way in splunk. Have to use Powershell addon with the following command for upload
Get-ChildItem '\*.log' -Recurse | Get-Content | %{if($_ -match '^@@'){$a=($_ -replace '^@@(\d{2})\/(\d{2})\/(\d{4})(\d{2})','$3-$2-$1T$4:');"$($a)00:00"}else{"$a$($ -replace '^(\d{2})(\d{2}.\d{3})', '$1:$2 ')"}}

View solution in original post

Pharaon · ‎07-18-2018

There is no easy way in splunk. Have to use Powershell addon with the following command for upload
Get-ChildItem '\*.log' -Recurse | Get-Content | %{if($_ -match '^@@'){$a=($_ -replace '^@@(\d{2})\/(\d{2})\/(\d{4})(\d{2})','$3-$2-$1T$4:');"$($a)00:00"}else{"$a$($ -replace '^(\d{2})(\d{2}.\d{3})', '$1:$2 ')"}}

CarsonZa · ‎07-16-2018

i don't think what you are after is possible. each event needs its own time stamp. The only alternative i could think of would be using indexing time as the timestamp. set up a props.conf and add the following. You would also need to setup some regex for line breaking i'm assuming which can be found in props.conf as well.

DATETIME_CONFIG = CURRENT

Logging Best Practices

How can I propagate date+hour to each next event in the log?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life