Re: Extract timestamp from the logs

isha_rastogi · ‎04-25-2018

I've logs where events are not starting with time. Log format is
10.100.28.108 - - 2018-04-25--02-31-14 "PUT /mifs/c/i/abc/abc.html?c=1073768600 HTTP/1.1" 200 20 "-" "abc/1.0" 5252
I was trying below but getting error: couldnot use strptime to parse
[ test ]
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
TIME_FORMAT=%Y-%m-%d--%H%-M-%S
TIME_PREFIX=\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\s-\s-
TZ=America/New_York

TISKAR · ‎04-25-2018

Can you try this please:

[ __auto__learned__ ]
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
TIME_FORMAT=%Y-%m-%d--%H-%M-%S
TIME_PREFIX=(\d+\.){3}.\d+(\s-){2}\s

somesoni2 · ‎04-25-2018

Give this a try

[ test ]
SHOULD_LINEMERGE=false
LINE_BREAKER = ([\r\n]+)(?=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\s+\S+){2}\s)
NO_BINARY_CHECK=true
TIME_FORMAT=%Y-%m-%d--%H%-M-%S
TIME_PREFIX=^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\s+\S+){2}\s
MAX_TIMESTAMP_LOOKAHEAD = 20
TZ=America/New_York

p_gurav · ‎04-25-2018

Can you try to edit your time_prefix:

TIME_PREFIX=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s-\s-

Extract timestamp from the logs

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Extract timestamp from the logs

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases