How do you parse two time formats in Splunk?

bobojesus · ‎03-29-2019

The first time format is

Fri Dec 21 11:17:30 2018
the other one is 
2018-12-21T11:17:31.051061

I was wondering how i would line break this, and also, how would I format the time format to accept both times?

woodcock · ‎03-31-2019

If a single file has more than 1 timestamp format then the developers should get a serious paddling and either split the events or pick one format and stick to it. Until that happens, you can force Splunk to look for both with a custom datetime.xml file:
https://www.splunk.com/blog/2014/04/23/its-that-time-again.html

skoelpin · ‎03-29-2019

Each unique format should be tied to a sourcetype. You create base configs that tell Splunk how to read the timestamp and break the events properly relative to the sourcetype. In theory, you write the sourcetype rules once for each log format and you tie new events to that sourcetype

bobojesus · ‎03-29-2019

Yeah I know that. What I was wondering is there a way to properly format two different time formats located in one log file

skoelpin · ‎03-29-2019

Well yeah.. If they are in the same log file then assuming they are of the same type, they should be in he same format. If not, then you can route them to a different sourcetype

niketn · ‎03-30-2019

Use the documentation for sourcetype override. Have timestamp parsing for both sourcetypes as per your needs. While pulling data from index, pull both sourcetypes:

https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides#Example:_Assign...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How do you parse two time formats in Splunk?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk