https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-without-destroying-the-sequence-of/m-p/386339#M69353 <P>Hi,</P> <P>I have the following sample event data.<BR /> - For some reason, there is no sub-seconds-order data for the timestamp. <BR /> - Original event data does not have ts_SEQ field; I just added for the reference.</P> <PRE><CODE>ts, ev_id, val, ts_SEQ 2018-6-17 08:00:01, A, 10, 1 2018-6-17 08:00:01, B, 0, 2 2018-6-17 08:00:01, C, 3, 3 2018-6-17 08:00:11, A, 20, 4 2018-6-17 08:00:11, B, 0, 5 2018-6-17 08:00:11, C, -1, 6 2018-6-17 08:00:20, A, 5, 7 2018-6-17 08:00:21, B, 0, 8 2018-6-17 08:00:21, C, 12, 9 </CODE></PRE> <P>What I want to do is to extract transactions; It seems that events A-B-C (ev_id) make one transaction group, almost every ten seconds. For example, <CODE>transaction startswith=eval(ev_id="A") endswith=eval(ev_id="C") maxspan=2s</CODE> could be applied.</P> <P>When I indexed the above sample event data, at Set Source Type step, I chose Source Type=CSV, Timestamp Extraction=AUTO. What I got by spl <CODE>source=... | table _time ts ev_id val ts_SEQ | sort _time</CODE> is shown below.<BR /> <IMG src="https://community.splunk.com/storage/temp/251979-%E3%82%B9%E3%82%AF%E3%83%AA%E3%83%BC%E3%83%B3%E3%82%B7%E3%83%A7%E3%83%83%E3%83%88-2018-06-18-180745.png" alt="alt text" /></P> <P>Unfortunately, the ascending order of _time destroys the original event sequence (ts_SEQ), that means,<BR /> the above mentioned transaction extraction would be impossible. Currently, my work around is to add the ts_SEQ value to the original data before indexing, and use ts_SEQ to keep the original event sequence.</P> <P>Question: How to extract timestamp without destroying the sequence of original events from my sample data?</P> <P>Thank you.</P> Tue, 29 Sep 2020 20:01:31 GMT tac24 2020-09-29T20:01:31Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-without-destroying-the-sequence-of/m-p/386339#M69353 <P>Hi,</P> <P>I have the following sample event data.<BR /> - For some reason, there is no sub-seconds-order data for the timestamp. <BR /> - Original event data does not have ts_SEQ field; I just added for the reference.</P> <PRE><CODE>ts, ev_id, val, ts_SEQ 2018-6-17 08:00:01, A, 10, 1 2018-6-17 08:00:01, B, 0, 2 2018-6-17 08:00:01, C, 3, 3 2018-6-17 08:00:11, A, 20, 4 2018-6-17 08:00:11, B, 0, 5 2018-6-17 08:00:11, C, -1, 6 2018-6-17 08:00:20, A, 5, 7 2018-6-17 08:00:21, B, 0, 8 2018-6-17 08:00:21, C, 12, 9 </CODE></PRE> <P>What I want to do is to extract transactions; It seems that events A-B-C (ev_id) make one transaction group, almost every ten seconds. For example, <CODE>transaction startswith=eval(ev_id="A") endswith=eval(ev_id="C") maxspan=2s</CODE> could be applied.</P> <P>When I indexed the above sample event data, at Set Source Type step, I chose Source Type=CSV, Timestamp Extraction=AUTO. What I got by spl <CODE>source=... | table _time ts ev_id val ts_SEQ | sort _time</CODE> is shown below.<BR /> <IMG src="https://community.splunk.com/storage/temp/251979-%E3%82%B9%E3%82%AF%E3%83%AA%E3%83%BC%E3%83%B3%E3%82%B7%E3%83%A7%E3%83%83%E3%83%88-2018-06-18-180745.png" alt="alt text" /></P> <P>Unfortunately, the ascending order of _time destroys the original event sequence (ts_SEQ), that means,<BR /> the above mentioned transaction extraction would be impossible. Currently, my work around is to add the ts_SEQ value to the original data before indexing, and use ts_SEQ to keep the original event sequence.</P> <P>Question: How to extract timestamp without destroying the sequence of original events from my sample data?</P> <P>Thank you.</P> Tue, 29 Sep 2020 20:01:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-without-destroying-the-sequence-of/m-p/386339#M69353 tac24 2020-09-29T20:01:31Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-without-destroying-the-sequence-of/m-p/386340#M69354 <P>Splunk is a time-oriented service. That is, time sequence matters more than event sequence. See @dwaddle's answer at <A href="https://answers.splunk.com/answers/665477/retrievedownload-the-original-source-files-after-a.html#answer-665687">https://answers.splunk.com/answers/665477/retrievedownload-the-original-source-files-after-a.html#answer-665687</A> for an excellent explanation of this.</P> Mon, 18 Jun 2018 14:28:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-without-destroying-the-sequence-of/m-p/386340#M69354 richgalloway 2018-06-18T14:28:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-without-destroying-the-sequence-of/m-p/386341#M69355 <P>Thanks richgalloway,</P> <P>That's what I want to find solutions.<BR /> In other words, at the indexing stage, if multiple events have same<BR /> timestamp value (let's assume YYYY-MM-DD HH:MM:SS format), <BR /> is there any way to keep the sequence of the original events <BR /> when <CODE>table _time ...</CODE> command is applied without assist data (ts_SEQ)?</P> <P>tac24</P> Mon, 18 Jun 2018 23:32:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-without-destroying-the-sequence-of/m-p/386341#M69355 tac24 2018-06-18T23:32:22Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-without-destroying-the-sequence-of/m-p/386342#M69356 <P>As dwaddle says, the only guarantee is time. Events with the exact same timestamp may or may not be returned in the same order in which they appear in the original file.</P> Tue, 19 Jun 2018 00:44:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-timestamp-without-destroying-the-sequence-of/m-p/386342#M69356 richgalloway 2018-06-19T00:44:09Z