Dashboards & Visualizations

How can I order the date/time in an event?

shpot
New Member

Is it possible to process a specific date/time format first and if the format doesn't match the regex, default it to another?

Nov 19 21:56:10 myhost1 myapp1 2018-11-19T21:56:10.394Z level=INFO
Nov 19 21:57:20 myhost2 myapp2 [10.110.101.85]: 2018-11-19 21:57:20:322 [INFO ]
Nov 19 21:58:30 myhost3 myapp3 status=failed exit_code=2

My props is set for the TIME_FORMAT of %Y-%m-%dT%H:%M:%S.%3N%Z using a regex TIME_PREFIX for everything before the date/time 2018-11-19T21:59:10.394Z (as in the first event). If the TIME_FORMAT doesn't match or doesn't exist (as in the second and third events), then I'd like to use the first date/time in the beginning of each event (Nov 19 21:57:20). Is this possible? If so, how would this be accomplished?

Tags (1)
0 Karma

skalliger
SplunkTrust
SplunkTrust

Hm, this is quite dirty to do. You can keep your TIME_PREFIX and modify your RegEx. Simply add an "or"-condition in your regex. On the left side, match your second timestamp and on the other side of the or-condition, match the first timestamp. This is what I would try. To keep the impact of the possible regex steps low, you can set MAX_TIMESTAMP_LOOKAHEAD to the position where your second (and preferred) timestamp would start. So your regex won't try to match the whole event once before trying to match the second condition in the or.

Is that clear enough or do you need a RegEx example?

Skalli

0 Karma

inventsekar
Ultra Champion

If the TIME_FORMAT doesn't match or doesn't exist (as in the second and third events), then I'd like to use the first date/time in the beginning of each event (Nov 19 21:57:20). Is this possible? If so, how would this be accomplished?

i think this will be difficult to do with props.conf,
maybe, you could use a simple props.conf and then using a splunk search query, you can do the if-else assignment.

0 Karma

adonio
Ultra Champion

what is the problem you are trying to solve?
are you looking to capture the milliseconds?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...