Re: Extrating fields with the single dates of the ...

sympatiko · ‎07-01-2015

Hi Splunkers,

Im having this serious problem. Is there any way to transform or modify a log coming to a certain index?

Example: I have logs like this:

Jul 1 08:00:00 user service : example logs

I want to modify into :

07-01 08:00:00 user service : example logs

Is this possible? Im going to do log extraction for my alerting.

Thanks

vganjare · ‎07-01-2015

You can try using strptime and strftime commands for formating the time. More details @

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Commontimeformatvariables
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonEvalFunctions

Thanks!!

sympatiko · ‎07-01-2015

Hi vganjare,

Im very newbie at splunk and there are some terms that made me confused. Can you give me some sample?

Thanks

vganjare · ‎07-01-2015

Lets take this example:
Jul 1 08:00:00 ==> %b %d %H:%M:%S (refer to http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Commontimeformatvariables)

07-01 08:00:00 ==> %m-%d %H:%M:%S

Your query should look like:
...... | eval customTime = strftime(_time, "%m-%d %H:%M:%S")

Check the examples of strftime and strptime at http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonEvalFunctions

sympatiko · ‎07-01-2015

Because I configured an alerting with field extraction. So I only notice now that Every 1-9 of the month the logs has a space between the month and the day.

Sample : Jul 1 .......

It has extra space so it causes my custom alerts to read the different parameter based on my extracted fields on my query.

Extrating fields with the single dates of the month?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor