- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Trying to extract timestamp from json field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trying to extract timestamp from json field
One of the fields being indexed is formatted xx-xx-xxxxx_xx_xx-xx-20ww04c and various other strings always ending with year, week of the year and version, ie a=1, b=2, c=3.
I'm testing this through the Add Data UI which has the Advanced options to provide Timestamp format, Timestamp prefix, and Lookahead.
I'm trying these for the first two values, but it's obviously not correct:
Timestamp format: %yww%Vc
Timestamp prefix: (?<_time>\w{7})$
Thanks for any help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval time=strftime(_time,"%yww%Vc")
| fieldformat _time=strftime(_time,"%yww%Vc")
| eval check=strptime(time,"%yww%Vc")
wow, It can't be extracted.
| noop search_optimization=false it can't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
I am able to get at search time what I want but unable to achieve at index time
My timestamp in data looks like: 2020-07-02T18:00:18+02:00 with name log_modified_date.
i have written below props.conf:
[_json]
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = last_modified_date
TIME_FORMAT = %Y-%m-%dT%H:%M:%S+%2N:%2N
MAX_TIMESTAMP_LOOKAHEAD = 25
and getting time extracted as :
7/2/20
6:00:18.020 PM
I want the time field extracted in same way as in data with + value as well like:
7/2/20
6:00:18+02:00 PM something like this
Please let me know what i am doing wrong as i am not getting expected output.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This timeformat will not work , with adding %:z it will just convert time as per timezone .
I hv already tried what you suggested.
As i said i want time as it is with + value mentioned.
Note +02:00 is fixed with each timestamp in events.
So in case if we can’t get in timeformat ,can we add explicitly at index time.
Pls suggest.
And i have to use time format because there is 1 more time field in data which splunk detecting automatically.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @to4kawa ,
is 2020-07-02T18:02:18 ? - No it doesn't mean
I want +02:00 value separately only along with time:
7/2/20
6:00:44+02:00 PM like this i want in _time.
Please help me getting this and as I told earlier that +02:00 value is fixed with each timestamp so you can leverage of adding hardcore as well, i won't mind just output should be same.
Thanks
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
