https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-event-data/m-p/127915#M26276 <P>Hi,</P> <P>I have eventdata as follows ,</P> <P>05NOV13 XYZ1 21:40:21 GMI User JESSD11 GMI sessn 1 timed-out token 2872827 revoked<BR /> 26JAN14 ABC1 21:36:50 GMI User JESSE05 Token #0442422 removed from CMW SOT( 139)<BR /> 26JAN14 ABC1 21:36:50 GMI User JESSE05 GMI sessn 1 logged off token 0442422 deleted<BR /> 26JAN14 XYZ1 21:40:21 TOW USER JESSD91 TERM #2872827 WAS FORCED OFF BY TIMEOUT<BR /> 26JAN14 XYZ1 21:40:21 GMI User JESSD91 GMI sessn 1 timed-out token 2872827 revoked<BR /> 26JAN14 ABC1 21:40:50 GMI User JESSD91 Token #2872827 removed from CMW SOT( 140)<BR /> 26JAN14 ABC1 21:40:50 GMI User JESSD91 GMI sessn 1 logged off token 2872827 deleted</P> <P>in which i have date mentioned in one place and timestamp mentioned in another place ,</P> <P>How can i use my TIME_FORMAT attribute for this case ? to pick the ryt time ??? </P> <P>i.e 26JAN14 ABC1 21:40:50 as 26JAN14 21:40:50 </P> <P>tried the following in props.conf , but didnt work any other solution for this ??</P> <P>TIME_FORMAT = %d%b%y\s[A-Z0-9]{4}\s%H:%M:%S</P> Tue, 28 Jan 2014 12:12:29 GMT rakesh_498115 2014-01-28T12:12:29Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-event-data/m-p/127915#M26276 <P>Hi,</P> <P>I have eventdata as follows ,</P> <P>05NOV13 XYZ1 21:40:21 GMI User JESSD11 GMI sessn 1 timed-out token 2872827 revoked<BR /> 26JAN14 ABC1 21:36:50 GMI User JESSE05 Token #0442422 removed from CMW SOT( 139)<BR /> 26JAN14 ABC1 21:36:50 GMI User JESSE05 GMI sessn 1 logged off token 0442422 deleted<BR /> 26JAN14 XYZ1 21:40:21 TOW USER JESSD91 TERM #2872827 WAS FORCED OFF BY TIMEOUT<BR /> 26JAN14 XYZ1 21:40:21 GMI User JESSD91 GMI sessn 1 timed-out token 2872827 revoked<BR /> 26JAN14 ABC1 21:40:50 GMI User JESSD91 Token #2872827 removed from CMW SOT( 140)<BR /> 26JAN14 ABC1 21:40:50 GMI User JESSD91 GMI sessn 1 logged off token 2872827 deleted</P> <P>in which i have date mentioned in one place and timestamp mentioned in another place ,</P> <P>How can i use my TIME_FORMAT attribute for this case ? to pick the ryt time ??? </P> <P>i.e 26JAN14 ABC1 21:40:50 as 26JAN14 21:40:50 </P> <P>tried the following in props.conf , but didnt work any other solution for this ??</P> <P>TIME_FORMAT = %d%b%y\s[A-Z0-9]{4}\s%H:%M:%S</P> Tue, 28 Jan 2014 12:12:29 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-event-data/m-p/127915#M26276 rakesh_498115 2014-01-28T12:12:29Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-event-data/m-p/127916#M26277 <P>What type of information is represented by the XYZ1 and ABC1? Time Zone? Or something else?</P> <P>I don't think TIME_FORMAT can handle the regex pattern in a nice way - in fact I believe that it tries to match the literal string, square brackets and all.</P> Tue, 28 Jan 2014 13:35:30 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-event-data/m-p/127916#M26277 kristian_kolb 2014-01-28T13:35:30Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-event-data/m-p/127917#M26278 <P>I agree that TIME_FORMAT cannot accept a regex string. Here's something I thought of, but haven't yet tried. Use a transform to parse the event data then an eval to build a datetime string.</P> <P>props.conf:</P> <P><CODE>[test]<BR /> REPORT-logdata = parseLogData<BR /> EVAL-datetime = date." ".time<BR /> ...<BR /> </CODE></P> <P>transforms.conf:</P> <P><CODE>[parseLogData]<BR /> REGEX = "(?&lt;date&gt;.*?)\s(?&lt;foo&gt;.*?)\s(?&lt;time&gt;.*?)\s"<BR /> </CODE></P> Tue, 28 Jan 2014 13:55:04 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-event-data/m-p/127917#M26278 richgalloway 2014-01-28T13:55:04Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-event-data/m-p/127918#M26279 <P>Hi Kristian..XYZ1 and ABC1 represents my system codes...</P> Tue, 28 Jan 2014 14:54:07 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-event-data/m-p/127918#M26279 rakesh_498115 2014-01-28T14:54:07Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-event-data/m-p/127919#M26280 <P>Sorry, that won't work. The tranformations take place after timestamp extractions.</P> Wed, 29 Jan 2014 02:25:10 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-event-data/m-p/127919#M26280 kristian_kolb 2014-01-29T02:25:10Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-event-data/m-p/127920#M26281 <P>If the timestamp is not recognized, you need to make changes to datetime.xml</P> <P>you can use following in datetime.xml</P> <PRE><CODE>&lt;define name="_cssdatetime" extract="day, litmonth, year, ignored_sep3, hour, minute, second"&gt; &lt;text&gt;&lt;![CDATA[([012]\d|3[01])(?i)(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)(?:20)?([901]\d)(?!\d| {2,})\s+(\w+)\s+([012]?\d):([0-6]?\d):([0-6]?\d)]]&gt;&lt;/text&gt; &lt;/define&gt; </CODE></PRE> <P>And point your sourcetype to this new datetime xml using DATETIME_CONFIG in props.conf</P> Thu, 30 Jan 2014 10:53:36 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-event-data/m-p/127920#M26281 adityapavan18 2014-01-30T10:53:36Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-event-data/m-p/127921#M26282 <P>Excellent Pavan .. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 31 Jan 2014 09:38:07 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-extraction-from-event-data/m-p/127921#M26282 rakesh_498115 2014-01-31T09:38:07Z