Re: How to use TIME_PREFIX to extract Timestamp fo...

kiran331 · ‎04-03-2018

How to Extract the timestamp (Date: in below screenshot) which is in UTC format and convert to CST format? current timestamp is indexing timestamp.

sravankaripe · ‎04-05-2018

[ _json ]
BREAK_ONLY_BEFORE={"preview"
pulldown_type=true
TIME_PREFIX=\s\\"date\\":\s+\\"

sravankaripe · ‎04-05-2018

Try this or above stanza

[ _json ]
BREAK_ONLY_BEFORE={"preview"
TIME_PREFIX=\s\\"date\\":\s+\\"
TIME_FORMAT=%Y-%m-%dT%H:%M:%S+%N:%N
TRUNCATE=9999999

davpx · ‎04-04-2018

TIME_PREFIX = timestamp:\s+
TIME_FORMAT = %s

in props.conf

kiran331 · ‎04-05-2018

I tried it din't work.

splunker12er · ‎04-03-2018

yoursearch| eval CST_time=_time-21600| convert ctime(CST_time)|table CST_time , _time

yoursearch| eval CST_time=now()-21600| convert ctime(CST_time)|table CST_time , _time

Central Standard Time (CST) is 6 hours behind Coordinated Universal Time (UTC).
where your _time is UTC

kiran331 · ‎04-04-2018

Is there a way to do it at indexing time?

How to use TIME_PREFIX to extract Timestamp for the JSON logs?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor