https://community.splunk.com/t5/Splunk-Search/how-to-Configure-positional-timestamp-extraction-in-log-using/m-p/370146#M169842 <P>hi All,</P> <P>Am trying to extract the time stamp inside event as index time. We have similar sourcetype of logs from 4 different indexes </P> <P>Apr 19 09:21:12 XYZADMXYZAB3P04 XYZADMXYZAB3P04 [customer] [426426|TaskExecutor-master-426426-ProcessTask [8797404726198]] [2018-04-19 09:21:11,929] [not present] [admin] [true]: Customer [<A href="mailto:aubcdsatest@google.com">aubcdsatest@google.com</A>] is created/updated<BR /> Apr 25 15:00:44 XYZADMXYZAB3P04 XYZADMXYZAB3P04 [customer] [139468|TaskExecutor-master-139468-ProcessTask [8797864231862]] [2018-04-25 15:00:41,004] [not present] [admin] [true]: Customer [<A href="mailto:m.abcsree40@gmail.com">m.abcsree40@gmail.com</A>] is created/updated<BR /> Apr 4 09:52:28 XYZECMXYZAB1P43 XYZECMXYZAB1P43 [customer] [103920|ajp-bio-8010-exec-158] [2018-04-04 09:52:21,843] [192.145.12.4] [<A href="mailto:line.sssss@icloud.com">line.sssss@icloud.com</A>] [true]: Customer [<A href="mailto:lint.sre@icloud.com">lint.sre@icloud.com</A>] is created/updated<BR /> Apr 4 09:52:28 XYZECMXYZAB1P43 XYZECMXYZAB1P43 [authentication] [103920|ajp-bio-8010-exec-158] [2018-04-04 09:52:21,876] [192.145.12.4] [<A href="mailto:abcd.sssss@icloud.com">abcd.sssss@icloud.com</A>] [true]: user [<A href="mailto:abcd.ssss@icloud.com">abcd.ssss@icloud.com</A>] successfully authenticated<BR /> Apr 9 12:41:52 XYZBUSXYZAB3P01 XYZBUSXYZAB3P01 [employee] [200061|hybrisHTTP8] [2018-04-09 12:41:48,609] [10.44.189.72] [anonymous] [true]: Employee [tester] is created/updated</P> <P>Apr 21 02:55:46 ABCPUBXYZAB56 ABCPUBXYZAB56 2018-04-21 02:55:39.800 INFO [com.xyxf.auth.core.XYLoginHookAuthenticationHandler] Activated XYZ authentication feedback handler wrap handler enabled is true<BR /> Apr 12 08:23:06 ABCPUBXYZAB47 ABCPUBXYZAB47 2018-04-12 08:23:00.401 INFO [com.xyzf.auth.core.XYLoginHookAuthenticationHandler] 10.66.101.22 admin failed</P> <P>In the above logs how to extract the second timestamp as indextime. can someone help me with RegEx.</P> <P>Thanks,<BR /> Sree</P> Sat, 28 Apr 2018 16:30:38 GMT mallempatisreed 2018-04-28T16:30:38Z https://community.splunk.com/t5/Splunk-Search/how-to-Configure-positional-timestamp-extraction-in-log-using/m-p/370146#M169842 <P>hi All,</P> <P>Am trying to extract the time stamp inside event as index time. We have similar sourcetype of logs from 4 different indexes </P> <P>Apr 19 09:21:12 XYZADMXYZAB3P04 XYZADMXYZAB3P04 [customer] [426426|TaskExecutor-master-426426-ProcessTask [8797404726198]] [2018-04-19 09:21:11,929] [not present] [admin] [true]: Customer [<A href="mailto:aubcdsatest@google.com">aubcdsatest@google.com</A>] is created/updated<BR /> Apr 25 15:00:44 XYZADMXYZAB3P04 XYZADMXYZAB3P04 [customer] [139468|TaskExecutor-master-139468-ProcessTask [8797864231862]] [2018-04-25 15:00:41,004] [not present] [admin] [true]: Customer [<A href="mailto:m.abcsree40@gmail.com">m.abcsree40@gmail.com</A>] is created/updated<BR /> Apr 4 09:52:28 XYZECMXYZAB1P43 XYZECMXYZAB1P43 [customer] [103920|ajp-bio-8010-exec-158] [2018-04-04 09:52:21,843] [192.145.12.4] [<A href="mailto:line.sssss@icloud.com">line.sssss@icloud.com</A>] [true]: Customer [<A href="mailto:lint.sre@icloud.com">lint.sre@icloud.com</A>] is created/updated<BR /> Apr 4 09:52:28 XYZECMXYZAB1P43 XYZECMXYZAB1P43 [authentication] [103920|ajp-bio-8010-exec-158] [2018-04-04 09:52:21,876] [192.145.12.4] [<A href="mailto:abcd.sssss@icloud.com">abcd.sssss@icloud.com</A>] [true]: user [<A href="mailto:abcd.ssss@icloud.com">abcd.ssss@icloud.com</A>] successfully authenticated<BR /> Apr 9 12:41:52 XYZBUSXYZAB3P01 XYZBUSXYZAB3P01 [employee] [200061|hybrisHTTP8] [2018-04-09 12:41:48,609] [10.44.189.72] [anonymous] [true]: Employee [tester] is created/updated</P> <P>Apr 21 02:55:46 ABCPUBXYZAB56 ABCPUBXYZAB56 2018-04-21 02:55:39.800 INFO [com.xyxf.auth.core.XYLoginHookAuthenticationHandler] Activated XYZ authentication feedback handler wrap handler enabled is true<BR /> Apr 12 08:23:06 ABCPUBXYZAB47 ABCPUBXYZAB47 2018-04-12 08:23:00.401 INFO [com.xyzf.auth.core.XYLoginHookAuthenticationHandler] 10.66.101.22 admin failed</P> <P>In the above logs how to extract the second timestamp as indextime. can someone help me with RegEx.</P> <P>Thanks,<BR /> Sree</P> Sat, 28 Apr 2018 16:30:38 GMT https://community.splunk.com/t5/Splunk-Search/how-to-Configure-positional-timestamp-extraction-in-log-using/m-p/370146#M169842 mallempatisreed 2018-04-28T16:30:38Z https://community.splunk.com/t5/Splunk-Search/how-to-Configure-positional-timestamp-extraction-in-log-using/m-p/370147#M169843 <P>Hi Mallempatisreeedhar, </P> <P>I wrote a regex that should help you extract the timestamps you want. </P> <P>Click here to see the regex. Also regex101 is a great site for developing those regexes.</P> <P><A href="https://regex101.com/r/62Pfpn/1">https://regex101.com/r/62Pfpn/1</A></P> <P>If you want a SPL example:<BR /> <CODE>| rex field=_raw "\[?(?&lt;time&gt;20\d\d-\d\d-\d\d\s*\d\d:\d\d:\d\d(?:\,|\.)\d+)\[?"</CODE></P> Sat, 28 Apr 2018 20:27:45 GMT https://community.splunk.com/t5/Splunk-Search/how-to-Configure-positional-timestamp-extraction-in-log-using/m-p/370147#M169843 horsefez 2018-04-28T20:27:45Z https://community.splunk.com/t5/Splunk-Search/how-to-Configure-positional-timestamp-extraction-in-log-using/m-p/370148#M169844 <P>@mallempatisreedhar , can you try this please:</P> <PRE><CODE>| rex "^.*(?=(\d{4}-\d+-\d+\s\d+:\d+:\d+[,.]\d+))(?&lt;time&gt;\d{4}-\d+-\d+\s\d+:\d+:\d+[,.]\d+)" </CODE></PRE> <P>if you want extract the time at parsing using sourcetype stanza props.conf:</P> <PRE><CODE>TIME_FORMAT=%Y-%m-%d %H:%M:%S TIME_PREFIX=^.*(?=(\d{4}-\d+-\d+\s\d+:\d+:\d+[,.]\d+)) </CODE></PRE> Sat, 28 Apr 2018 20:49:15 GMT https://community.splunk.com/t5/Splunk-Search/how-to-Configure-positional-timestamp-extraction-in-log-using/m-p/370148#M169844 TISKAR 2018-04-28T20:49:15Z