Re: Extract timestamp from the logs

isha_rastogi · ‎04-25-2018

I've logs where events are not starting with time. Log format is
10.100.28.108 - - 2018-04-25--02-31-14 "PUT /mifs/c/i/abc/abc.html?c=1073768600 HTTP/1.1" 200 20 "-" "abc/1.0" 5252
I was trying below but getting error: couldnot use strptime to parse
[ test ]
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
TIME_FORMAT=%Y-%m-%d--%H%-M-%S
TIME_PREFIX=\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\s-\s-
TZ=America/New_York

TISKAR · ‎04-25-2018

Can you try this please:

[ __auto__learned__ ]
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
TIME_FORMAT=%Y-%m-%d--%H-%M-%S
TIME_PREFIX=(\d+\.){3}.\d+(\s-){2}\s

somesoni2 · ‎04-25-2018

Give this a try

[ test ]
SHOULD_LINEMERGE=false
LINE_BREAKER = ([\r\n]+)(?=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\s+\S+){2}\s)
NO_BINARY_CHECK=true
TIME_FORMAT=%Y-%m-%d--%H%-M-%S
TIME_PREFIX=^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\s+\S+){2}\s
MAX_TIMESTAMP_LOOKAHEAD = 20
TZ=America/New_York

p_gurav · ‎04-25-2018

Can you try to edit your time_prefix:

TIME_PREFIX=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s-\s-

Extract timestamp from the logs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation