topic Why does event timestamp appear AFTER another date? in Getting Data In

Why does event timestamp appear AFTER another date?

jmgilpin — Fri, 29 Jul 2022 15:24:40 GMT

This is my example log file:

-- Daily Prod Started 7/28/2022 12:36:05 PM 0.762 sec

-- BegMo='06/01/2022' 7/28/2022 12:36:05 PM 0.049 sec

-- BegDate='06/01/2022' 7/28/2022 12:36:05 PM 0 sec

-- EndDate='07/28/2022' 7/28/2022 12:36:05 PM 0 sec

-- EndMidNight='07/29/2022' 7/28/2022 12:36:05 PM 0 sec

-- Data Collection Start=7/28/2022 12:36:05 PM 7/28/2022 12:36:05 PM 0 sec

How do I pick up the timestamp on lines 2-5 - where there is a date with quotes, and lines 1 and 6, where there is not?

Re: event timestamp appears AFTER another date

PickleRick — Thu, 28 Jul 2022 20:22:26 GMT

Set long enough MAX_TIMESTAMP_LOOKAHEAD and define proper TIME_PREFIX which will account for all event versions.

Re: Event timestamp appears AFTER another date

gcusello — Fri, 29 Jul 2022 06:19:43 GMT

Hi @jmgilpin,

There's only one thing that I don't understand: are you speaking of the event timestamp, or about the extraction of other fields tin date-time format?

In the first case, as @PickleRick said, you should use TIME_PREFIX and TIME_FORMAT to identify the correct timestamp.

In the second case, you should use the first as timestamp and extract the others as fields using regexes.

Ciao.

Giuseppe

Re: Event timestamp appears AFTER another date

jmgilpin — Fri, 29 Jul 2022 12:41:40 GMT

My intent was to parse the timestamp of the event - but I do not see a common set of chars to use as the prefix. The timestamp in quotes is the value of a variable.

Fortunately, I was able to use current timestamp, so I am able to ingest the log files as they are created.

As this is a vendor log - and they are not to keen on changing the log format, current timestamp is workable.

thanks all!

James

Re: Event timestamp appears AFTER another date

gcusello — Fri, 29 Jul 2022 12:57:53 GMT

Hi @jmgilpin,

if the one you shared is a sample of your logs, you could use as TIME_PREFIX the first datetime yu have:

TIME_PREFIX = ^--\s+Daily Prod\s+Started\s+ TIME_FORMAT = %m/%d/%Y %I:%M:%S %p

Ciao.

Giuseppe

Re: Event timestamp appears AFTER another date

jmgilpin — Fri, 29 Jul 2022 13:12:20 GMT

Interesting, I was treating each line as a separate entry, but treating the group of items as a single entry... that would work... will gave that a try and get back to you.

Thanks!

Re: Event timestamp appears AFTER another date

gcusello — Fri, 29 Jul 2022 13:23:13 GMT

Hi @jmgilpin,

good for you,

tell me if I can help you more, otherwise, please, accept one answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉