Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to extract and assign a timestamp from a m...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srinathd
Contributor
07-27-2015
02:42 AM
How to extract and assign the timestamp from the below multiline event. Timestamp exists in the 4th line from last.
Test Log Management
Y12354.ABC
Y12354.ABCýY12354.AMýY12354.PM
LIVE
AMENDýCREATEýNEW
NavigationýNavigationýNavigation
14832 task T1455671 amended - refreshýQC14790 (Correction customer and AccountýMigration of role 256
1505081034ý1504081139ý1503171221
approvedýapprovedýapproved
1505081129ý1504081150ý1503171225
3
4
1506091724
2015_*Y12354.ABC
IN0010001
1
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-28-2015
03:07 PM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-28-2015
03:07 PM
Use this in props.conf:
TiME_PREFIX = (?:[\r\n]+)(?=\d{10,}[\r\n])
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srinathd
Contributor
07-29-2015
01:00 AM
But sometimes in the log on 10th line also we have value as "1505081034" instead of "1505081034ý1504081139ý1503171221" , but we should not consider this as timestamp. we have to assign the time which is on 30th line(1507101814) as timestamp. How to do that? Below is the sample log
Test Log Management
Y12354.ABC
Y12354.ABC
LIVE
AMEND
Navigation
14832 task T1455671 amended - refresh
1505081034
approved
1505081129
3
4
2015_*Y12354.ABC
1507101814
2015_*Y12354.ABC
IN0010001
1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-29-2015
02:16 AM
You can tell it to always skip at least "x" lines; here is how to do it for x=15:
TiME_PREFIX = ([^\r\n]*[\r\n]){15}.*(?:[\r\n]+)(?=\d{10,}[\r\n])
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srinathd
Contributor
07-29-2015
02:06 AM
I have used this.. it is working perfectly
TIME_PREFIX = (?:[\r\n]+)(?=\d{10,}[\r\n]+[\w\_\\*\d\.]*[\r\n]+[A-Z]{2}\d{7,}[\r\n]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-27-2015
07:58 AM
Is 1506091724 your timestamp? Why do I see it at the top, too?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srinathd
Contributor
07-27-2015
11:53 PM
yes. It is the timestamp. I have added it for testing purpose at the top but actually it exists at the bottom. i have modified the log.
Get Updates on the Splunk Community!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
April 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
A Guide To Cloud Migration Success
As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...
Join Us for Splunk University and Get Your Bootcamp Game On!
If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...
