- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do you add a timestamp onto a log that has a s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you add a timestamp onto a log that has a second counter in the log?
Hi,
I have a log that has a second counter inside it, 1 2...11... 3601...etc .
So data i have
1 Data XXYXX
2 Data XXYXX
5 Data XXYXX
11 Data XXYXX
3601 Date XXYY
etc...
The issues is the log can be given to Splunk on one GO, so it might get 20K links in the same few seconds So I can't use INDEX TIME (As i think it will put all the events into the same few seconds, i need the data to be spread using the seconds in the file)
So i need it to say 3600 seconds is 1 hour and give each event a different time stamp pending on the second counter.....
ALSO...to make it more complex :):):).
I don't want the time to go forward into the future — i would like it to start at the end and go backwards — or, set a negative 2 weeks as "0" and go forward...something like that... [Basally i don't want future events from now()]
What i want Splunk to see for TIMESTAMP (Assuming we go back to start of month or something like that)
01/11/2018 12:00:01 1 Data XXYXX
01/11/2018 12:00:02 2 Data XXYXX
01/11/2018 12:00:05 5 Data XXYXX
01/11/2018 12:00:11 11 Data XXYXX
01/11/2018 13:00:02 3601 Date XXYY
Any help would be super super stuff thanks
Cheers in Advance 🙂
Robbie
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i think that for index time, youll have to use the datetime.xml to achieve your goals.
you can do it easily at search time, example:
index=<your_index> sourcetype=<your_sourcetype>
| rex field=_raw "(?<seconds_counter>\d+)"
| eval _time = _time + seconds_counter
| more stats and evals to complete your search
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
In fact i need this to add to a datamodel, so i need to do it on index time if possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
interesting,
data models are search results ... why not create an eval field?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI
This is what we did thanks.
In the datamodel we put in if(isnull(GC_TIMESTAMP),_time-2592000+relative_time,_time) .
So relative_time is the seconds and if no time stamp is there we go back 90 days and start from there.
cheers
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
