topic Re: multikv row timestamp extraction in Getting Data In

multikv row timestamp extraction

kubowler99 — Sat, 25 Feb 2012 20:19:12 GMT

I'm trying to figure out the best way to extract a time stamp (not date) from a row when using multikv.

Here's the raw data:

" AIX Net Activity for Sunday, January 1, 2012 (00:00-00:00) (1) es2p375p"

         CPU            KB       PKTS            PKT ERRS          
  ------------------ --------- --------- ------------------------- 
  %I  %K %U %W logc   I    O    I    O   In errs O errs Collisions 
  --- -- -- -- ----- ---- ---- ---- ---- ------- ------ ----------

20:00 95 4 1 0 0.40 0 0 * * * * *

18:00 95 4 1 0 0.38 0 0 * * * * *

16:00 95 4 1 0 0.38 0 0 * * * * *

14:00 94 4 1 0 0.42 0 0 * * * * *

12:00 95 4 1 0 0.41 0 0 * * * * *

10:00 95 4 1 0 0.40 0 0 * * * * *

08:00 95 4 1 0 0.41 0 0 * * * * *

06:00 86 4 5 5 0.73 0 0 * * * * *

04:00 85 5 7 3 0.95 0 0 * * * * *

02:00 93 5 1 1 0.51 0 0 * * * * *

00:24 95 3 1 0 0.36 0 0 * * * * *

--- -- -- -- ----- ---- ---- ---- ---- ------- ------ ----------
SUM: 0 0

AVG: 93 4 2 1 0.49 0 0

I've already configured the multikv.conf and props.conf files to parse the log and extract the fields properly (there are multiple tables in a single log file, one table for each day).

Splunk see's each table as a different day, but the timestamp for each event/row is always 00:00, as opposed to the time in the first field of the event row. For example, the row

20:00 95 4 1 0 0.40 0 0 * * * * *

Will have a date/time stamp of January 1, 2012 00:00, instead of January 1, 2012 20:00.

Any ideas on the best way to solve this? All suggestions are welcome. Thanks!

Re: multikv row timestamp extraction

lguinn2 — Mon, 27 Feb 2012 03:41:22 GMT

First, assume that the first column is extracted into a field called "T". You can calculate the full timestamp as

<yoursearch> | multikv <params> | eval timestamp = _time + strptime(T, "%H:%M") | 
fieldformat timestamp = strftime(timestamp,"%x %X") | ...

Now you can use the new field called "timestamp" instead of _time in the remainder of your command...

Re: multikv row timestamp extraction

kubowler99 — Mon, 27 Feb 2012 13:58:45 GMT

Thanks, lguinn. Will give it a shot and post results.

Re: multikv row timestamp extraction

kubowler99 — Mon, 27 Feb 2012 14:54:55 GMT

Thanks, again.

I don't think the above is completely accurate, as I modified the strftime to (timestamp, "%B %d, %Y %H:%M") to get the full date, and both the day and time are off. Instead of January 5, 2012 19:00, it returns March 02, 2054 01:00.

I'm assuming it's the eval statement that may need to be modified, but not sure.

Re: multikv row timestamp extraction

kubowler99 — Mon, 27 Feb 2012 15:08:15 GMT

Yeah - looks like the strptime(T, "%H:%M") is being evaluated with a Month, Day, Year, in addition to the Hour:Minute, which is hosing the epochtime. For example, when I only have 'eval timestamp = strptime(T, "%H:%M"), and T="19:00", timestamp returns as February 26, 2012 19:00. This would explain why your solution returns the March 02, 2054 01:00 timestamp.

Back to the drawing board, I guess. Still working on it.