https://community.splunk.com/t5/Getting-Data-In/timestamp-recognition-in-multi-timestamp-event/m-p/191542#M38121 <P>Hi all!</P> <P>I have a problem with my log. Some events have only one timestamp, some have two - as in this example : <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Configurepositionaltimestampextraction#Example" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Configurepositionaltimestampextraction#Example</A></P> <P><STRONG>How should I configure splunk to always match the latest timestamp in the event?</STRONG><BR /> I could write regex, but I only can provide time PREFIX (TIME_PREFIX=...). If I write a TIME_PREFIX for two-timestamps-event - some events (with only one timestamp) will have incorrect time (time of indexing)</P> Mon, 28 Sep 2020 18:40:45 GMT lukasz92 2020-09-28T18:40:45Z https://community.splunk.com/t5/Getting-Data-In/timestamp-recognition-in-multi-timestamp-event/m-p/191542#M38121 <P>Hi all!</P> <P>I have a problem with my log. Some events have only one timestamp, some have two - as in this example : <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Configurepositionaltimestampextraction#Example" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Configurepositionaltimestampextraction#Example</A></P> <P><STRONG>How should I configure splunk to always match the latest timestamp in the event?</STRONG><BR /> I could write regex, but I only can provide time PREFIX (TIME_PREFIX=...). If I write a TIME_PREFIX for two-timestamps-event - some events (with only one timestamp) will have incorrect time (time of indexing)</P> Mon, 28 Sep 2020 18:40:45 GMT https://community.splunk.com/t5/Getting-Data-In/timestamp-recognition-in-multi-timestamp-event/m-p/191542#M38121 lukasz92 2020-09-28T18:40:45Z https://community.splunk.com/t5/Getting-Data-In/timestamp-recognition-in-multi-timestamp-event/m-p/191543#M38122 <P>I would try it with a regexp with a two alternatives, one with a positive look ahead (?=…second time stamp regexp…)so it only matches if there is a second timestamp, did not try it out, but I think this could work.</P> Mon, 12 Jan 2015 14:15:03 GMT https://community.splunk.com/t5/Getting-Data-In/timestamp-recognition-in-multi-timestamp-event/m-p/191543#M38122 FritzWittwer_ol 2015-01-12T14:15:03Z https://community.splunk.com/t5/Getting-Data-In/timestamp-recognition-in-multi-timestamp-event/m-p/191544#M38123 <P>Can you provide some samples of your events (mask sensitive information) with both single and double timestamp values.?</P> Mon, 12 Jan 2015 15:39:01 GMT https://community.splunk.com/t5/Getting-Data-In/timestamp-recognition-in-multi-timestamp-event/m-p/191544#M38123 somesoni2 2015-01-12T15:39:01Z https://community.splunk.com/t5/Getting-Data-In/timestamp-recognition-in-multi-timestamp-event/m-p/191545#M38124 <P>I solved my problem with using one, more complicated regex - with question mark match: <CODE>()?</CODE><BR /> TIME_PREFIX = <CODE>(.*something123 (\[)?([^,]*, somethingother[^,]*,[^,]*, [^0-9]*)?)?</CODE><BR /> It was possible with my custom data.</P> <P>@FritzWittwer<BR /> I haven't tried your solution, maybe it works.</P> <P>I will keep the question open, for other ideas.</P> Fri, 06 Feb 2015 14:55:54 GMT https://community.splunk.com/t5/Getting-Data-In/timestamp-recognition-in-multi-timestamp-event/m-p/191545#M38124 lukasz92 2015-02-06T14:55:54Z