Solved: Adding Multiple time stamp fields in props file so...

k_harini · ‎11-07-2016

I have a source file with multiple dates and timestamp as separate fields. I want to use last_changed and last_changed_time fields..
Both are in different format
last_changed = %d.%m.%Y
last_changed_time = %H:%M:%S %p

While defining sourcetype - Timestamp fields - last_changed,last_changed_time ... How to give timestamp format since 2 fields are present in timestamp fields? Please suggest!

gcusello · ‎11-07-2016

Hi k_harini,
if you could share an example will be more efficient.
Every way, if you have something like this:
01.11.2016|01.11.2016|02.11.2016|11:58:56 AM|11:58:57 AM|11:59:09 AM
and you need to take the first and the fourth fields, you could use in TIMESTAMP_FORMAT something like this %d.%m.%Y\|\d+\.\d+\.\d+\|\d+\.\d+\.\d+\|%H:%M:%S %p

Bye.
Giuseppe

View solution in original post

gcusello · ‎11-07-2016

Hi k_harini,
if you could share an example will be more efficient.
Every way, if you have something like this:
01.11.2016|01.11.2016|02.11.2016|11:58:56 AM|11:58:57 AM|11:59:09 AM
and you need to take the first and the fourth fields, you could use in TIMESTAMP_FORMAT something like this %d.%m.%Y\|\d+\.\d+\.\d+\|\d+\.\d+\.\d+\|%H:%M:%S %p

Bye.
Giuseppe

niketn · ‎11-07-2016

can you add some sample events?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Adding Multiple time stamp fields in props file sourcetype stanza

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms