topic Re: Trying to extract timestamp from json field in Getting Data In

Trying to extract timestamp from json field

cblanton — Wed, 30 Sep 2020 03:47:49 GMT

One of the fields being indexed is formatted xx-xx-xxxxx_xx_xx-xx-20ww04c and various other strings always ending with year, week of the year and version, ie a=1, b=2, c=3.

I'm testing this through the Add Data UI which has the Advanced options to provide Timestamp format, Timestamp prefix, and Lookahead.

I'm trying these for the first two values, but it's obviously not correct:

Timestamp format: %yww%Vc
Timestamp prefix: (?<_time>\w{7})$

Thanks for any help

Re: Trying to extract timestamp from json field

to4kawa — Thu, 23 Jan 2020 12:25:22 GMT

| makeresults
| eval time=strftime(_time,"%yww%Vc")
| fieldformat _time=strftime(_time,"%yww%Vc")
| eval check=strptime(time,"%yww%Vc")

wow, It can't be extracted.
| noop search_optimization=false it can't work.

Re: Trying to extract timestamp from json field

abhinav_bel — Fri, 03 Jul 2020 19:48:56 GMT

Hi ,

I am able to get at search time what I want but unable to achieve at index time

My timestamp in data looks like: 2020-07-02T18:00:18+02:00 with name log_modified_date.

i have written below props.conf:

[_json]
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = last_modified_date
TIME_FORMAT = %Y-%m-%dT%H:%M:%S+%2N:%2N
MAX_TIMESTAMP_LOOKAHEAD = 25

and getting time extracted as :

7/2/20
6:00:18.020 PM

I want the time field extracted in same way as in data with + value as well like:

7/2/20
6:00:18+02:00 PM something like this

Please let me know what i am doing wrong as i am not getting expected output.

Re: Trying to extract timestamp from json field

to4kawa — Sat, 04 Jul 2020 07:44:22 GMT

Re: Trying to extract timestamp from json field

abhinav_bel — Sat, 04 Jul 2020 03:25:53 GMT

This timeformat will not work , with adding %：z it will just convert time as per timezone .

I hv already tried what you suggested.

As i said i want time as it is with + value mentioned.

Note +02：00 is fixed with each timestamp in events.

So in case if we can’t get in timeformat ,can we add explicitly at index time.

Pls suggest.

And i have to use time format because there is 1 more time field in data which splunk detecting automatically.

Re: Trying to extract timestamp from json field

to4kawa — Sat, 04 Jul 2020 07:44:39 GMT

Re: Trying to extract timestamp from json field

abhinav_bel — Sat, 04 Jul 2020 05:12:30 GMT

Hi @to4kawa ,

is 2020-07-02T18:02:18 ? - No it doesn't mean

I want +02:00 value separately only along with time:

7/2/20
6:00:44+02:00 PM like this i want in _time.

Please help me getting this and as I told earlier that +02:00 value is fixed with each timestamp so you can leverage of adding hardcore as well, i won't mind just output should be same.

Thanks