topic Re: Timestamp ascending in Getting Data In

Timestamp ascending

ToniSchulz — Wed, 04 Mar 2015 13:51:54 GMT

Hello,

I have a problem concerning the timestamp of my logfiles. We want to look through a large textfile with structured values in it which looks like this:

date: 18.02.2015/ time: 13:09

filter: Moving Average 1

offset: 2,730863

tension; torsion; bending momentx; bending moment y; time; temperature

+172.107700;+0.856136;+0.000000;-4.752090;+335.291875;+23.750000
+389.506900;-1.284204;-3.573091;+1.018305;+335.292500;+23.750000
+489.148200;+0.214034;-0.922088;-4.525800;+335.293125;+23.750000
+199.282600;-0.642102;+0.115261;-3.168060;+335.293750;+23.750000
+262.690700;+1.284204;+0.922088;-2.376045;+335.294375;+23.750000
+461.973300;+0.642102;-1.267871;-3.394350;+335.295000;+23.750000
+280.807300;+0.000000;+1.383132;-2.715480;+335.295625;+23.750000
+443.856700;+0.749119;-1.383132;+2.602335;+335.296250;+23.750000

The timestamp is in fact the time that is written on top plus the seconds within each line (second last position).
Can I tell Splunk anyhow that the timestamp is in this case 13:09 + 335.xx seconds?

Thanks a lot in advance!

Toni

Re: Timestamp ascending

gfuente — Wed, 04 Mar 2015 16:13:26 GMT

Hello

I dont think Splunk can recognize that timestamp pattern. Instead you could use, current timestamp (supposing that your data is generated in real time)

Or maybe you could write an script to preprocess the logs, and attach a recognizable timestamp to each event or use this app https://apps.splunk.com/app/1901/ to do somethins like that.

Regards

Re: Timestamp ascending

cpetterborg — Wed, 04 Mar 2015 18:33:38 GMT

Do you need the timestamp for the event to be adjusted by the +335.xxx seconds? Or can you deal with the timestamp being 18.02.2015/ time: 13:09, and then do your search with some adjustments to them time where you would do something like this?:

<yoursearch> | rex "<rex-to-get-offset>" | eval real_time=_time+offset | <whatever-you-do-with-the-real_time>

This is not exact, but it gives you an IDEA of what you could do. Is this sort of search-time date creation usable for you?

Re: Timestamp ascending

ToniSchulz — Thu, 05 Mar 2015 07:03:44 GMT

I think that could work for us. I give it a try!

Re: Timestamp ascending

markthompson — Thu, 05 Mar 2015 11:17:14 GMT

@ToniSchulz

Does your splunk, when you run a search, if you look at the predefined fields, does it pick up your timestamp?

Re: Timestamp ascending

ToniSchulz — Mon, 09 Mar 2015 11:33:28 GMT

Thanks a lot for all your answers!
I meanwhile changed the way of importing it and used a pre process outside of splunk to change the format. Now Splunk knows the right time. I till have problems with making a timechart in Milliseconds, but that is within another topic.

Again thanks for you support!