https://community.splunk.com/t5/Splunk-Search/Timestamp-extraction-issue/m-p/50405#M12117 <P>Hi everyone,</P> <P>I have the following log line which has two timestamps and we need to get the SECOND one. </P> <PRE><CODE>Mar 4 18:50:02 ids1-ecojbs-p01 access_combined: 10.142.1.109 - - [04/Mar/2013:10:50:03 -0800] </CODE></PRE> <P><BR /><BR /><BR /> I tried using the wizard that Splunk provides and changed the setting in <BR /> Manager » Data inputs » Add data » A file or directory of files » Files &amp; directories » Data preview, to the following</P> <PRE><CODE>NO_BINARY_CHECK=1 SHOULD_LINEMERGE=true TIME_FORMAT=/[%d/%b/%Y:%H:%M%S]/g </CODE></PRE> <P><BR /><BR /><BR /> But this regex does not seem to be working out</P> <P>Other potential log lines (where the second timestamp needs to be extracted), look like </P> <PRE><CODE>Mar 4 18:50:02 ids1-ecojbs-p01 syslog: 10.142.1.109 - - [04/Mar/2013:10:50:03 -0800] Mar 4 18:50:02 ids1-ecojbs-p01 oslog: 10.142.1.109 - - [04/Mar/2013:10:50:03 -0800] </CODE></PRE> <P><BR /><BR /> Does anybody know what else ought to be configured in the wizard ?<BR /> Does it need a TIME_PREFIX ?<BR /> All input (especially by those who know regex) is welcome !</P> Mon, 04 Mar 2013 19:49:19 GMT asarolkar 2013-03-04T19:49:19Z https://community.splunk.com/t5/Splunk-Search/Timestamp-extraction-issue/m-p/50405#M12117 <P>Hi everyone,</P> <P>I have the following log line which has two timestamps and we need to get the SECOND one. </P> <PRE><CODE>Mar 4 18:50:02 ids1-ecojbs-p01 access_combined: 10.142.1.109 - - [04/Mar/2013:10:50:03 -0800] </CODE></PRE> <P><BR /><BR /><BR /> I tried using the wizard that Splunk provides and changed the setting in <BR /> Manager » Data inputs » Add data » A file or directory of files » Files &amp; directories » Data preview, to the following</P> <PRE><CODE>NO_BINARY_CHECK=1 SHOULD_LINEMERGE=true TIME_FORMAT=/[%d/%b/%Y:%H:%M%S]/g </CODE></PRE> <P><BR /><BR /><BR /> But this regex does not seem to be working out</P> <P>Other potential log lines (where the second timestamp needs to be extracted), look like </P> <PRE><CODE>Mar 4 18:50:02 ids1-ecojbs-p01 syslog: 10.142.1.109 - - [04/Mar/2013:10:50:03 -0800] Mar 4 18:50:02 ids1-ecojbs-p01 oslog: 10.142.1.109 - - [04/Mar/2013:10:50:03 -0800] </CODE></PRE> <P><BR /><BR /> Does anybody know what else ought to be configured in the wizard ?<BR /> Does it need a TIME_PREFIX ?<BR /> All input (especially by those who know regex) is welcome !</P> Mon, 04 Mar 2013 19:49:19 GMT https://community.splunk.com/t5/Splunk-Search/Timestamp-extraction-issue/m-p/50405#M12117 asarolkar 2013-03-04T19:49:19Z https://community.splunk.com/t5/Splunk-Search/Timestamp-extraction-issue/m-p/50406#M12118 <P>Not sure what the leading / and trailing /g in your <CODE>TIME_FORMAT</CODE> is meant to be? It seems a bit like sed syntax...</P> <P>The easiest thing would be to pick a <CODE>TIME_PREFIX</CODE> that makes Splunk jump to the correct timestamp. From there on I'm fairly sure it will recognize the timestamp format itself. Perhaps</P> <PRE><CODE>TIME_PREFIX = - - \[ </CODE></PRE> <P>?</P> Mon, 04 Mar 2013 20:20:12 GMT https://community.splunk.com/t5/Splunk-Search/Timestamp-extraction-issue/m-p/50406#M12118 Ayn 2013-03-04T20:20:12Z https://community.splunk.com/t5/Splunk-Search/Timestamp-extraction-issue/m-p/50407#M12119 <P>That partly solved the problem.</P> <P>I will pose my question once again (this time with more detail)</P> Tue, 05 Mar 2013 01:56:56 GMT https://community.splunk.com/t5/Splunk-Search/Timestamp-extraction-issue/m-p/50407#M12119 asarolkar 2013-03-05T01:56:56Z