https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334873#M61929 <P>Hi Guys, </P> <P>I am trying to use the GUI to index a file that's not in a recognised format and I'm having issues with extracting the timestamp. </P> <P>I have broken the event up fine but the timestamp is on the line shown below. The first time it finds "12:00:00" is incorrect so I'm looking to extract the incident time as the time section of my date and timestamp. </P> <P><EM>Date Of Incident: 12/02/2015 12:00:00 AM, Incident Time: 1250</EM></P> <P>In the timestamp prefix section I have told it to look after Date of Incident: but it only finds 12/02/2015 12:00:00 AM. Does anyone know of a way to tell it to continue looking so I add the correct incident time?</P> <P>Any help would be appreciated as I am really struggling with this!</P> <P>Thanks! </P> Thu, 27 Jul 2017 11:23:49 GMT Robbie1194 2017-07-27T11:23:49Z https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334873#M61929 <P>Hi Guys, </P> <P>I am trying to use the GUI to index a file that's not in a recognised format and I'm having issues with extracting the timestamp. </P> <P>I have broken the event up fine but the timestamp is on the line shown below. The first time it finds "12:00:00" is incorrect so I'm looking to extract the incident time as the time section of my date and timestamp. </P> <P><EM>Date Of Incident: 12/02/2015 12:00:00 AM, Incident Time: 1250</EM></P> <P>In the timestamp prefix section I have told it to look after Date of Incident: but it only finds 12/02/2015 12:00:00 AM. Does anyone know of a way to tell it to continue looking so I add the correct incident time?</P> <P>Any help would be appreciated as I am really struggling with this!</P> <P>Thanks! </P> Thu, 27 Jul 2017 11:23:49 GMT https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334873#M61929 Robbie1194 2017-07-27T11:23:49Z https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334874#M61930 <P>So just to make it clean (I didn't explain myself very well), the timestamp I'm looking to extract would be 12/02/2015 12:50:00</P> Thu, 27 Jul 2017 11:25:46 GMT https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334874#M61930 Robbie1194 2017-07-27T11:25:46Z https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334875#M61931 <P>In the Select sourcetype screen, go to advanced tab on left sidebar and add following attributes</P> <PRE><CODE>TIME_PREFIX = Date Of Incident:\s+ TIME_FORMAT = %m/%d/%Y %H:%M:%S %p </CODE></PRE> Thu, 27 Jul 2017 12:19:07 GMT https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334875#M61931 somesoni2 2017-07-27T12:19:07Z https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334876#M61932 <P>Hi somesoni2 </P> <P>Unfortunately that doesn't work, it still finds 12/02/2015 12:00:00 instead of 12/02/2015 12:50:00.</P> <P>I need to take the incident time value and add it to the Date of Incident date. </P> Thu, 27 Jul 2017 12:27:57 GMT https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334876#M61932 Robbie1194 2017-07-27T12:27:57Z https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334877#M61933 <P>Can you tell us more about this data source? </P> <P>How often do you ingest events, is it a file monitor? do you have control of the format?</P> <P>You may need to live with the date parsing and deal with the time at search time at this point. The data's format is poor and I would look at cleaning it up at the source if at all possible. </P> Thu, 27 Jul 2017 12:44:35 GMT https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334877#M61933 mattymo 2017-07-27T12:44:35Z https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334878#M61934 <P>It's a file monitor and unfortunately there's no way of me changing the data's format <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Thu, 27 Jul 2017 13:01:48 GMT https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334878#M61934 Robbie1194 2017-07-27T13:01:48Z https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334879#M61935 <P>Hi Robbie1194,<BR /> I think that the only way is pre parse your files using a script!<BR /> Bye.<BR /> Giuseppe</P> Thu, 27 Jul 2017 13:22:54 GMT https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334879#M61935 gcusello 2017-07-27T13:22:54Z https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334880#M61936 <P>Hi Robbie1194,<BR /> I think that the only way is pre parse your files using a script!<BR /> Bye.<BR /> Giuseppe</P> Thu, 27 Jul 2017 13:22:54 GMT https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334880#M61936 gcusello 2017-07-27T13:22:54Z https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334881#M61937 <P>Ok, so let's talk use cases. </P> <P>With the extraction of the "Date of Incident", you can at least be sure that your events indexed and are groupable by day. Then using an extracted field you could extract time. You can then eval a field that stitches them together and you could chart using that data. </P> <P>What are some of the things you are going to try and achieve with this data...Charting incidents over time? reporting on the number of incidents over time? drilldown to view the incident?</P> <P>What does a full event look like?</P> <P>Splunk's power is in the ability to constantly change schema on the fly and to massage data, so there are many ways to go about this, but generally the most critical use case or item you are trying to achieve will dictate the levers to pull. </P> Thu, 27 Jul 2017 13:39:54 GMT https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334881#M61937 mattymo 2017-07-27T13:39:54Z https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334882#M61938 <P>@Robbie1194, if the log always has <CODE>12:00:00 AM</CODE> present for the Date field, you can try the following in your sourcetype:</P> <PRE><CODE>TIME_FORMAT=%d/%m/%Y 12:00:00 AM, Incident Time: %H%M TIME_PREFIX=Date Of Incident:\s+ MAX_TIMESTAMP_LOOKAHEAD=43 </CODE></PRE> <P>If it not not always fixed as 12:00:00 AM, then you might have to create your own datetime configuration xml (yourcustomdatetime.xml) instead of relying upon the default datetime.xml.</P> <P>Here is a blog explaining the same: <A href="https://www.splunk.com/blog/2014/04/23/its-that-time-again.html">https://www.splunk.com/blog/2014/04/23/its-that-time-again.html</A></P> Thu, 27 Jul 2017 13:49:32 GMT https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334882#M61938 niketn 2017-07-27T13:49:32Z https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334883#M61939 <P>Try with this</P> <PRE><CODE>TIME_PREFIX = Date Of Incident:\s+ TIME_FORMAT = %m/%d/%Y 12:00:00 AM, Incident Time: %H%M </CODE></PRE> Thu, 27 Jul 2017 13:50:57 GMT https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334883#M61939 somesoni2 2017-07-27T13:50:57Z https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334884#M61940 <P>worked for me</P> <P>as long as the pattern stays the same should work. </P> <P><IMG src="http://i.imgur.com/eyGZ78e.png" alt="alt text" /></P> Thu, 27 Jul 2017 13:55:01 GMT https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334884#M61940 mattymo 2017-07-27T13:55:01Z https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334885#M61941 <P>looks good, like niketnilay said, as long as you can trust that regex will always hit, you are golden<IMG src="http://i.imgur.com/eyGZ78e.png" alt="alt text" /></P> Thu, 27 Jul 2017 13:55:46 GMT https://community.splunk.com/t5/Getting-Data-In/Extracting-timestamps-in-custom-data/m-p/334885#M61941 mattymo 2017-07-27T13:55:46Z