Re: Tricky parsing requirement

ssledzie · ‎02-19-2014

Say I fed a file into splunk that had a date field at the top.

Then after that, one event per line that contained a time offset from the aforementioned date field. Any way I could make splunk assign a timestamp from date+time offset to the event?

lukejadamec · ‎02-19-2014

I'm gonna venture an educated guess - No, you cannot perform math on index time extractions.

However, you can math in a search. Once you get it the way you want it, you can create a macro so it can be called easily.

ssledzie · ‎02-24-2014

I'll check the doc thanks. In either case, the format would be something like:

DATE: 02/24/2014 11:00:00

0
5
10

In the above example 0,5, and 10 are offsets from the date header.

lukejadamec · ‎02-24-2014

Have you read this doc? http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/HowSplunkextractstimestamps
According to that doc, if you can configure props.conf to recognize the 'date field' as an event of the same sourcetype, and pull the date as a date time, then all subsequent events would default to that 'date time' because the subsequent events of that same sourcetype do not have a valid 'date time'.

It is tough without seeing the data or log file structure.

ssledzie · ‎02-24-2014

That's fine. I'm willing to do that calculation at search time. But I still need the all the data on the event to do that.

Ayn · ‎02-24-2014

You'd still have to do math in order to add the start date and the offset. The timestamp processor doesn't have that kind of functionality.

ssledzie · ‎02-24-2014

What if I didn't do any math but appended the start date to every event? Is that possible?

Tricky parsing requirement

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases