Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

TImestamp assignment for an event

AnithaL
New Member
‎01-31-2013 12:43 AM

Hi ,

Here is the sample log along with the line numbers mentioned ,which I am trying to upload to Splunk.

1 ) a
2 ) a1
3 ) a2
4 ) a3
5 ) a4
6 ) a5
7 ) begin script 2013-01-15 02:26:27::Status :0
8 ) Run_Job ::2013-01-15 02:26:27::pmcmd Return Code=0
9 ) Run_Job ::2013-01-15 02:26:27::Workflow wf_FF completed Successfully..
10 ) _Upd_DT_ID ::2013-01-15 02:30:14::Update Max Date in for JOB STREAM ID wf_FF
11 ) *** Warning: EOF on INPUT stream.
12 ) *** Warning: EOF on INPUT stream.
13 ) :: .ksh::2013-01-15 02:30:15::Last Extract ID/LAST Extract DATE and SOURCE_FLAT_FILE_NAME updated successfully.
14 ) *** Warning: EOF on INPUT stream.
15 ) *** Warning: EOF on INPUT stream.
16 ) ::2013-01-15 02:30:16::Completed. and updated successfully.
17 ) ::2013-01-15 02:30:16::Removing the session specific Temp file
18 ) ::2013-01-15 02:30:16::Successfully removed Temp file
19 ) ::2013-01-15 02:30:16::End processing for workflow wf_FF
20 ) ### Command completed.

For the first 6 lines splunk assigned the timestamp when it is getting indexed and for the rest it is taking from the log data.

Need the first 6 lines also merged with the second event so that it will get the timestamp from the log.

Thanks in advance.

Anitha.

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2013 01:24 AM

You may be able to coerce those first lines into the next event by fiddling with the TIME_PREFIX value in props.conf - I didn't test that for this log though, just give it a go.

0 Karma
Reply

Ayn
Legend
‎01-31-2013 02:47 AM

This might also be helpful: http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/Configuretimestamprecognition

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2013 01:32 AM

In-depth documentation is http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/ConfigurePositionalTimestampExtraction and http://docs.splunk.com/Documentation/Splunk/5.0.1/admin/Propsconf

In essence you're telling splunk where to start looking for a timestamp, you can set these either manually in props.conf or in the preview for new data inputs - the latter is likely the better option for you.

0 Karma
Reply

AnithaL
New Member
‎01-31-2013 01:28 AM

Hi

I am new to Splunk , not sure how to use TIME_PREFIX.

Regards,
Anitha

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...