https://community.splunk.com/t5/Getting-Data-In/Tricky-parsing-requirement/m-p/158777#M32194 <P>That's fine. I'm willing to do that calculation at search time. But I still need the all the data on the event to do that.</P> Mon, 24 Feb 2014 19:51:34 GMT ssledzie 2014-02-24T19:51:34Z https://community.splunk.com/t5/Getting-Data-In/Tricky-parsing-requirement/m-p/158773#M32190 <P>Say I fed a file into splunk that had a date field at the top.</P> <P>Then after that, one event per line that contained a time offset from the aforementioned date field. Any way I could make splunk assign a timestamp from date+time offset to the event?</P> Wed, 19 Feb 2014 23:39:34 GMT https://community.splunk.com/t5/Getting-Data-In/Tricky-parsing-requirement/m-p/158773#M32190 ssledzie 2014-02-19T23:39:34Z https://community.splunk.com/t5/Getting-Data-In/Tricky-parsing-requirement/m-p/158774#M32191 <P>I'm gonna venture an educated guess - No, you cannot perform math on index time extractions.</P> <P>However, you can math in a search. Once you get it the way you want it, you can create a macro so it can be called easily. </P> Thu, 20 Feb 2014 00:01:14 GMT https://community.splunk.com/t5/Getting-Data-In/Tricky-parsing-requirement/m-p/158774#M32191 lukejadamec 2014-02-20T00:01:14Z https://community.splunk.com/t5/Getting-Data-In/Tricky-parsing-requirement/m-p/158775#M32192 <P>What if I didn't do any math but appended the start date to every event? Is that possible?</P> Mon, 24 Feb 2014 18:55:52 GMT https://community.splunk.com/t5/Getting-Data-In/Tricky-parsing-requirement/m-p/158775#M32192 ssledzie 2014-02-24T18:55:52Z https://community.splunk.com/t5/Getting-Data-In/Tricky-parsing-requirement/m-p/158776#M32193 <P>You'd still have to do math in order to add the start date and the offset. The timestamp processor doesn't have that kind of functionality.</P> Mon, 24 Feb 2014 19:15:07 GMT https://community.splunk.com/t5/Getting-Data-In/Tricky-parsing-requirement/m-p/158776#M32193 Ayn 2014-02-24T19:15:07Z https://community.splunk.com/t5/Getting-Data-In/Tricky-parsing-requirement/m-p/158777#M32194 <P>That's fine. I'm willing to do that calculation at search time. But I still need the all the data on the event to do that.</P> Mon, 24 Feb 2014 19:51:34 GMT https://community.splunk.com/t5/Getting-Data-In/Tricky-parsing-requirement/m-p/158777#M32194 ssledzie 2014-02-24T19:51:34Z https://community.splunk.com/t5/Getting-Data-In/Tricky-parsing-requirement/m-p/158778#M32195 <P>Have you read this doc? <A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/HowSplunkextractstimestamps">http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/HowSplunkextractstimestamps</A><BR /> According to that doc, if you can configure props.conf to recognize the 'date field' as an event of the same sourcetype, and pull the date as a date time, then all subsequent events would default to that 'date time' because the subsequent events of that same sourcetype do not have a valid 'date time'.<BR /><BR /> It is tough without seeing the data or log file structure.</P> Mon, 24 Feb 2014 19:57:15 GMT https://community.splunk.com/t5/Getting-Data-In/Tricky-parsing-requirement/m-p/158778#M32195 lukejadamec 2014-02-24T19:57:15Z https://community.splunk.com/t5/Getting-Data-In/Tricky-parsing-requirement/m-p/158779#M32196 <P>I'll check the doc thanks. In either case, the format would be something like:</P> <P><START_FILE><BR /> DATE: 02/24/2014 11:00:00</START_FILE></P> <P>0 <SOME_EVENT><BR /> 5 <SOME_EVENT><BR /> 10 <SOME_EVENT><BR /> <END_FILE></END_FILE></SOME_EVENT></SOME_EVENT></SOME_EVENT></P> <P>In the above example 0,5, and 10 are offsets from the date header.</P> Mon, 24 Feb 2014 20:39:41 GMT https://community.splunk.com/t5/Getting-Data-In/Tricky-parsing-requirement/m-p/158779#M32196 ssledzie 2014-02-24T20:39:41Z