https://community.splunk.com/t5/Getting-Data-In/How-to-extract-unusual-time-information/m-p/460781#M79546 <P>if I understand it correctly the date and the time are in the same log event, which implies it comes from the same source</P> Mon, 03 Feb 2020 20:50:57 GMT PavelP 2020-02-03T20:50:57Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-unusual-time-information/m-p/460778#M79543 <P>Hello,</P> <P>I have events without a timestamp like epochtime or a format like <STRONG>2020-02-03 18:41:00</STRONG>.<BR /> The needed information is kind of split up in the raw event. Raw events look like this sample:</P> <P>sometext, <STRONG>date</STRONG>,<STRONG>20200203</STRONG>, some text, some text, <STRONG>time</STRONG>,<STRONG>184100</STRONG>, some text</P> <P>Is it possible to create a useful timestamp extraction of out this during the data onboarding?</P> <P>Best regards</P> Mon, 03 Feb 2020 17:47:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-unusual-time-information/m-p/460778#M79543 peterschloenske 2020-02-03T17:47:08Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-unusual-time-information/m-p/460779#M79544 <P>you have to use custom datetime config which allows regexes between date and time:<BR /> <A href="https://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem">https://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem</A></P> Mon, 03 Feb 2020 19:50:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-unusual-time-information/m-p/460779#M79544 PavelP 2020-02-03T19:50:31Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-unusual-time-information/m-p/460780#M79545 <P>Are these coming from the same source or from different sources heading to the same index?</P> Mon, 03 Feb 2020 19:50:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-unusual-time-information/m-p/460780#M79545 13tsavage 2020-02-03T19:50:58Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-unusual-time-information/m-p/460781#M79546 <P>if I understand it correctly the date and the time are in the same log event, which implies it comes from the same source</P> Mon, 03 Feb 2020 20:50:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-unusual-time-information/m-p/460781#M79546 PavelP 2020-02-03T20:50:57Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-unusual-time-information/m-p/460782#M79547 <P>Okay then you need to figure out which format the date and timestamp mark the beginning of a new event. Then you can create custom event breakers for that specific data source.</P> <P>Figure out which time stamp is shown in EVERY event that marks the beginning of that event, and I can help you with the rest.</P> Tue, 04 Feb 2020 14:33:53 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-unusual-time-information/m-p/460782#M79547 13tsavage 2020-02-04T14:33:53Z