Use of Multiple Timestamps in one Index

Wushu · ‎08-15-2011

For the purpose of this problem lets say I have one index, in this index I receive syslog events - one such event has three timestamps. I need to extract the third timestamp for this event.

Aug 15 10:27:23 Host2124.bleh Aug 15 10:27:23 Message forwarded from Host2124: AIXAudit: FILE_Write root FAIL Mon Aug 15 10:01:05 2011

The rest of the events in the index tend to have the usual two and is generally not a problem (splunk takes this fine);

Jul 27 16:04:19 Host3212.bleh.co.uk Jul 27 16:04:19 Message forwarded from Host3212

Does anyone know of a method to have the third timestamp extracted only for that first event and leave the rest of the events in the index as they are? Almost as if we said.. If this regex matches then apply the following timestamp parsing..

Note - These events are the same sourcetype, same index..
Thanks in advance

supersleepwalke · ‎04-04-2012

In theory, using TIME_PREFIX with a greedy regex should work. Something like:

TIME_PREFIX="^.*Message forwarded from"

should find the last instance of "Message forwarded from" since .* is greedy and will consume as much as it can. TIME_PREFIX essentially consumes and excludes part of the line from timestamp recognition.

That being said, I'm having trouble getting TIME_PREFIX to work for me at the moment, YMMV.

Use of Multiple Timestamps in one Index

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...