https://community.splunk.com/t5/Splunk-Search/date-fields-not-being-extracted/m-p/97694#M25198 <P>i have events that look like this:</P> <PRE><CODE>CEF:0|Symantec|Endpoint Protection|11|999|"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SescLU.exe"|High| eventId=5480802 externalId=0E68DF150A0064A4000A5EDF35775715 start=1290620312000 end=1290620312000 art=1290622138975 deviceSeverity=7 rt=1290622392494 dhost=IL06TR3534M1029 dst=0.0.0.0 destinationZoneURI=/All Zones/System Zones/Private Address Space duser=SYSTEM dproc=C:/Program Files/Ci456trix/Server Resource Management/CPU Utilization Management/bin/ctxcpusched.exe filePath=C:/Program Files/Symantec/Symantec Endpoint Protection/SescLU.exe cs2=gsgdg cs1Label=Rule Name cs2Label=Site Name ahost=il02cdgdgsadgpp23 agt=0.0.0.0 agentZoneURI=/All Zones/System Zones/Public Address Space/Medfgdfrfgck adfgndfd fCdfo. Inc av=5.0.1.0.0 atz=America/Chicago aid=VHCNQioBAjhgfBCAAbwsSXav-A\=\= at=symantecendpointprotection_db dtz=America/Chicago _cefVer=0.1 ad.USN.l=17653876548768 ad.GROUP__ID.c=262887CD380ABC3B8D007F9E041C0F4906 ad.SEND__SNMP__TRAP.i=0 ad.SITE__ID.c=490FDBF20A0064A501D542C265C16579 ad.EVENT__TIME.l=1290620312000 ad.ALERT.l=1 ad.HARDWARE__KEY.c=CC4729F88C6AAB83A1072CA83A4EDEB5 ad.CALLER__PROCESS__ID.l=4464 ad.SERVER__ID.c=67B886940A0064A401CE5AF910B1B99C ad.COMPUTER__ID.c=4E09948C0A00649400AECB09AF9AB20F ad.ACTION.l=0 ad.AGENT__ID.c=600A65290A00649400AECB0979407FB0 ad.DOMAIN__ID.c=28CC5DC90A0064A501AB16EB8463B458 CEF:0|Symantec|Endpoint Protection|11|999|"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"|High| eventId=5480801 externalId=14B8F26D0A0064A4000A5EDF382EDBF5 start=1290620393000 end=1290620393000 art=1290622138975 deviceSeverity=7 rt=1290622392479 dhost=IL06TR345M1029 dst=0.0.0.0 destinationZoneURI=/All Zones/System Zones/Private Address Space duser=SYSTEM dproc=C:/Program Files/Ci64trix/Server Resource Management/CPU Utilization Management/bin/ctxcpusched.exe filePath=C:/Program Files/Symantec/Symantec Endpoint Protection/Smc.exe cs2=hfghgf cs1Label=Rule Name cs2Label=Site Name ahost=il02csgfagppdg23 agt=0.0.0.0 agentZoneURI=/All Zones/System Zones/Public Address Space/Merdgckgd agdgnd dgCo. Inc av=5.0.1.0.0 atz=America/Chicago aid=VHCNQiojhgfdBABCAAbwsSXav-A\=\= at=symantecendpointprotection_db dtz=America/Chicago _cefVer=0.1 ad.USN.l=1765876538768 ad.GROUP__ID.c=2628CD380A87BC3B8D007F9E041C0F4906 ad.SEND__SNMP__TRAP.i=0 ad.SITE__ID.c=490FDBF20A0064A501D542C265C16579 ad.EVENT__TIME.l=1290620393000 ad.ALERT.l=1 ad.HARDWARE__KEY.c=CC4729F88C6AAB83A1072CA83A4EDEB5 ad.CALLER__PROCESS__ID.l=4464 ad.SERVER__ID.c=67B886940A0064A401CE5AF910B1B99C ad.COMPUTER__ID.c=4E09948C0A00649400AECB09AF9AB20F ad.ACTION.l=0 ad.AGENT__ID.c=600A65290A00649400AECB0979407FB0 ad.DOMAIN__ID.c=28CC5DC90A0064A501AB16EB8463B458 </CODE></PRE> <P>Why do the date_* field not get extracted? For a different source i get the extraction just fine (see below). Hence this has to do with the events themselves.</P> <BLOCKQUOTE> <PRE><CODE>date_hour (n) (6) date_mday (n) (1) date_minute (n) (60) date_month (1) date_second (n) (60) date_wday (1) date_year (n) (1) date_zone (1) </CODE></PRE> </BLOCKQUOTE> <P>Also, how can i populate them, if i needed to use them?</P> <P>Cheers.</P> Thu, 02 Dec 2010 07:04:48 GMT Genti 2010-12-02T07:04:48Z https://community.splunk.com/t5/Splunk-Search/date-fields-not-being-extracted/m-p/97694#M25198 <P>i have events that look like this:</P> <PRE><CODE>CEF:0|Symantec|Endpoint Protection|11|999|"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SescLU.exe"|High| eventId=5480802 externalId=0E68DF150A0064A4000A5EDF35775715 start=1290620312000 end=1290620312000 art=1290622138975 deviceSeverity=7 rt=1290622392494 dhost=IL06TR3534M1029 dst=0.0.0.0 destinationZoneURI=/All Zones/System Zones/Private Address Space duser=SYSTEM dproc=C:/Program Files/Ci456trix/Server Resource Management/CPU Utilization Management/bin/ctxcpusched.exe filePath=C:/Program Files/Symantec/Symantec Endpoint Protection/SescLU.exe cs2=gsgdg cs1Label=Rule Name cs2Label=Site Name ahost=il02cdgdgsadgpp23 agt=0.0.0.0 agentZoneURI=/All Zones/System Zones/Public Address Space/Medfgdfrfgck adfgndfd fCdfo. Inc av=5.0.1.0.0 atz=America/Chicago aid=VHCNQioBAjhgfBCAAbwsSXav-A\=\= at=symantecendpointprotection_db dtz=America/Chicago _cefVer=0.1 ad.USN.l=17653876548768 ad.GROUP__ID.c=262887CD380ABC3B8D007F9E041C0F4906 ad.SEND__SNMP__TRAP.i=0 ad.SITE__ID.c=490FDBF20A0064A501D542C265C16579 ad.EVENT__TIME.l=1290620312000 ad.ALERT.l=1 ad.HARDWARE__KEY.c=CC4729F88C6AAB83A1072CA83A4EDEB5 ad.CALLER__PROCESS__ID.l=4464 ad.SERVER__ID.c=67B886940A0064A401CE5AF910B1B99C ad.COMPUTER__ID.c=4E09948C0A00649400AECB09AF9AB20F ad.ACTION.l=0 ad.AGENT__ID.c=600A65290A00649400AECB0979407FB0 ad.DOMAIN__ID.c=28CC5DC90A0064A501AB16EB8463B458 CEF:0|Symantec|Endpoint Protection|11|999|"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"|High| eventId=5480801 externalId=14B8F26D0A0064A4000A5EDF382EDBF5 start=1290620393000 end=1290620393000 art=1290622138975 deviceSeverity=7 rt=1290622392479 dhost=IL06TR345M1029 dst=0.0.0.0 destinationZoneURI=/All Zones/System Zones/Private Address Space duser=SYSTEM dproc=C:/Program Files/Ci64trix/Server Resource Management/CPU Utilization Management/bin/ctxcpusched.exe filePath=C:/Program Files/Symantec/Symantec Endpoint Protection/Smc.exe cs2=hfghgf cs1Label=Rule Name cs2Label=Site Name ahost=il02csgfagppdg23 agt=0.0.0.0 agentZoneURI=/All Zones/System Zones/Public Address Space/Merdgckgd agdgnd dgCo. Inc av=5.0.1.0.0 atz=America/Chicago aid=VHCNQiojhgfdBABCAAbwsSXav-A\=\= at=symantecendpointprotection_db dtz=America/Chicago _cefVer=0.1 ad.USN.l=1765876538768 ad.GROUP__ID.c=2628CD380A87BC3B8D007F9E041C0F4906 ad.SEND__SNMP__TRAP.i=0 ad.SITE__ID.c=490FDBF20A0064A501D542C265C16579 ad.EVENT__TIME.l=1290620393000 ad.ALERT.l=1 ad.HARDWARE__KEY.c=CC4729F88C6AAB83A1072CA83A4EDEB5 ad.CALLER__PROCESS__ID.l=4464 ad.SERVER__ID.c=67B886940A0064A401CE5AF910B1B99C ad.COMPUTER__ID.c=4E09948C0A00649400AECB09AF9AB20F ad.ACTION.l=0 ad.AGENT__ID.c=600A65290A00649400AECB0979407FB0 ad.DOMAIN__ID.c=28CC5DC90A0064A501AB16EB8463B458 </CODE></PRE> <P>Why do the date_* field not get extracted? For a different source i get the extraction just fine (see below). Hence this has to do with the events themselves.</P> <BLOCKQUOTE> <PRE><CODE>date_hour (n) (6) date_mday (n) (1) date_minute (n) (60) date_month (1) date_second (n) (60) date_wday (1) date_year (n) (1) date_zone (1) </CODE></PRE> </BLOCKQUOTE> <P>Also, how can i populate them, if i needed to use them?</P> <P>Cheers.</P> Thu, 02 Dec 2010 07:04:48 GMT https://community.splunk.com/t5/Splunk-Search/date-fields-not-being-extracted/m-p/97694#M25198 Genti 2010-12-02T07:04:48Z https://community.splunk.com/t5/Splunk-Search/date-fields-not-being-extracted/m-p/97695#M25199 <P>From what i understand, the fields date_* are actually fields that are extracted when splunk parses the timestamp from the events themselves. Since these events have no timestamp associated to them, these fields do not get populated.</P> <P>If one wanted to use such fields they can extract and populate them using</P> <PRE><CODE> | eval date_mday=strftime(_time, "%d") </CODE></PRE> <P>The above, for example would extract the actual day of the month and populate it inside the date_mday field...</P> Thu, 02 Dec 2010 08:50:28 GMT https://community.splunk.com/t5/Splunk-Search/date-fields-not-being-extracted/m-p/97695#M25199 Genti 2010-12-02T08:50:28Z https://community.splunk.com/t5/Splunk-Search/date-fields-not-being-extracted/m-p/97696#M25200 <P>Seems to me there are various epoch timestamps in the event data that should have been picked up. Perhaps setting a higher MAX_TIMESTAMP_LOOKAHEAD or a TIME_PREFIX would help.</P> Mon, 28 Sep 2020 09:21:35 GMT https://community.splunk.com/t5/Splunk-Search/date-fields-not-being-extracted/m-p/97696#M25200 gkanapathy 2020-09-28T09:21:35Z https://community.splunk.com/t5/Splunk-Search/date-fields-not-being-extracted/m-p/97697#M25201 <P>i dont think the customer cared for those epoch timestamps, they were fine with the timestamp becoming the actual index time, but still wanted to extract the "Day" field..</P> Fri, 03 Dec 2010 03:41:09 GMT https://community.splunk.com/t5/Splunk-Search/date-fields-not-being-extracted/m-p/97697#M25201 Genti 2010-12-03T03:41:09Z