Getting Data In

Adding Multiple time stamp fields in props file sourcetype stanza

k_harini
Communicator

I have a source file with multiple dates and timestamp as separate fields. I want to use last_changed and last_changed_time fields..
Both are in different format
last_changed = %d.%m.%Y
last_changed_time = %H:%M:%S %p

While defining sourcetype - Timestamp fields - last_changed,last_changed_time ... How to give timestamp format since 2 fields are present in timestamp fields? Please suggest!

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi k_harini,
if you could share an example will be more efficient.
Every way, if you have something like this:
01.11.2016|01.11.2016|02.11.2016|11:58:56 AM|11:58:57 AM|11:59:09 AM
and you need to take the first and the fourth fields, you could use in TIMESTAMP_FORMAT something like this %d.%m.%Y\|\d+\.\d+\.\d+\|\d+\.\d+\.\d+\|%H:%M:%S %p

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi k_harini,
if you could share an example will be more efficient.
Every way, if you have something like this:
01.11.2016|01.11.2016|02.11.2016|11:58:56 AM|11:58:57 AM|11:59:09 AM
and you need to take the first and the fourth fields, you could use in TIMESTAMP_FORMAT something like this %d.%m.%Y\|\d+\.\d+\.\d+\|\d+\.\d+\.\d+\|%H:%M:%S %p

Bye.
Giuseppe

0 Karma

niketn
Legend

can you add some sample events?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...