topic Re: how to extract a timestamp from beginning of splunk log statement in Splunk Search

how to extract a timestamp from beginning of splunk log statement

donB — Fri, 06 Aug 2021 07:43:16 GMT

All my log statements are of below format.

{ "source": "stdout", "tag": "practice/myapplication:4444a76b917", "labels": { "pod-template-hash": "343242344", "version": "9216a76b917b8258a1ee6de7d3bbf9a78ca59f1f", "app_docker_io/instance": "my-application" }, "time": "1628235185.043", "line": "2021-08-06T07:33:05.043Z LCS traceId=a83a082592cf2275, spanId=a83a082592cf2275 LCE [qtp310090733-278] ERROR c.p.p.c.a.ErrorHandlerAdvice.logErrorDesc(34) - ERROR RESPONSE SENT", "attrs": { "image": "practice/myapplication:4444a76b917", "env": "dev", "region": "local", "az": "us-west" } }

i want to extract the timestamp from beginning of each line and sort my results based on that timestamp. I have no idea of splunk search queries. can someone help?

Re: how to extract a timestamp from beginning of splunk log statement

venkatasri — Fri, 06 Aug 2021 07:32:41 GMT

Hi @donB

Can you share the original _raw event and highlight the timestamp required to be extracted?

Re: how to extract a timestamp from beginning of splunk log statement

donB — Fri, 06 Aug 2021 07:43:55 GMT

added the raw event (json), thank you

Re: how to extract a timestamp from beginning of splunk log statement

venkatasri — Fri, 06 Aug 2021 08:02:44 GMT

your _time should have been mapped to "time": already. you can check that by converting it from epoch to readable format.

Alternatively try this for your requirement.

<your_search> | rex "\"time\":\s+\"(?<time>[^\"]+)" | sort time | convert ctime(time) as time_readable