Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use Field with Timestamp as Eventtime

RobertRi
Communicator
‎05-07-2018 02:30 AM

Hi Community!

I have a problem with a German Timestamp Field!
I would like to extract the correct Timestamp from this field and replace it as the eventtime.
Unfortunatly monthnames are displayed at german language.

What is the best way to do that

This is my field with the timestamp

Mo Mai 07 2018 11:15:46.5650

and I would like to replace the eventtime with that timestamp

Thanks
Rob

Tags (1)
0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-07-2018 06:07 AM

Edit: Please ignore, that won't work.

I'd agree with @FrankVI and would try to fix the data, and would maybe do this during indexing (because you can most likely not change how you get the data on the source).

You should maybe look into a props.conf entry with SEDCMD, and just have 12 lines to replace each German abbreviation with the English one, and you would be done...

0 Karma
Reply

FrankVl
Ultra Champion
‎05-07-2018 06:15 AM

But would that SEDCMD be performed before Splunk does the timestamp extraction? Otherwise it is rather pointless, right?

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-07-2018 06:29 AM

You're right, my mistake, that wouldn't work...

0 Karma
Reply

FrankVl
Ultra Champion
‎05-07-2018 04:32 AM

Looks like you're not the only one who ran into this (no solution unfortunately):
https://answers.splunk.com/answers/468409/is-there-a-way-to-force-a-locale-so-that-splunk-re.html

Not directly related to index time processing of timestamps, but the search time documentation mentions that it follows the server's OS's locale setting:
http://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Commontimeformatvariables

So you might want to try sending this data through a HF that is running on an OS set to German locale.

Alternatively, you could look at defining your own timestamp processor (creating an alternative datetime.xml).

I'd probably aim at fixing this from the data source side, rather than Splunk side...

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-07-2018 03:09 AM

Ha, Mai is actually the worst example 😉
Just wondering - is the timestamp only showing the first three letters of each month, or is it showing the full month name?

0 Karma
Reply

RobertRi
Communicator
‎05-07-2018 03:49 AM

Only the first three letters.

Regards
Rob

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...