Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I propagate date+hour to each next event in the log?

Pharaon
Engager
‎07-16-2018 12:44 AM

Hi. I am a newborn splunk user. Logs come in the following format
--Format--
@@dd/mm/yyyy_HH
MMSS.msecond|Message...
....
@@dd/mm/yyyy_HH
MMSS.msecond|Message...

Sample:
@@10/07/2018_20
4117.824|MessageA
4117.826|MessageB
4118.007|MessageA
4118.010|MessageC
@@10/07/2018_21
1107.284|MessageD
1221.621|MessageB
2128.107|MessageE
4817.112|MessageF

How can I capture date+hour and apply to each event at indexing time.
E.g. for the last message in the sample I need something like below
10/07/2018 21:48:17.112 MessageF

Or how to make Splunk recognize a timestamp properly when hour is linked to date and precise time is linked to each message?

Appreciate your help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Pharaon
Engager
‎07-18-2018 01:10 AM

There is no easy way in splunk. Have to use Powershell addon with the following command for upload
Get-ChildItem '\*.log' -Recurse | Get-Content | %{if($_ -match '^@@'){$a=($_ -replace '^@@(\d{2})\/(\d{2})\/(\d{4})(\d{2})','$3-$2-$1T$4:');"$($a)00:00"}else{"$a$($ -replace '^(\d{2})(\d{2}.\d{3})', '$1:$2 ')"}}

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Pharaon
Engager
‎07-18-2018 01:10 AM

There is no easy way in splunk. Have to use Powershell addon with the following command for upload
Get-ChildItem '\*.log' -Recurse | Get-Content | %{if($_ -match '^@@'){$a=($_ -replace '^@@(\d{2})\/(\d{2})\/(\d{4})(\d{2})','$3-$2-$1T$4:');"$($a)00:00"}else{"$a$($ -replace '^(\d{2})(\d{2}.\d{3})', '$1:$2 ')"}}

0 Karma
Reply
Solved! Jump to solution

CarsonZa
Contributor
‎07-16-2018 10:12 AM

i don't think what you are after is possible. each event needs its own time stamp. The only alternative i could think of would be using indexing time as the timestamp. set up a props.conf and add the following. You would also need to setup some regex for line breaking i'm assuming which can be found in props.conf as well. 

DATETIME_CONFIG = CURRENT

Logging Best Practices

Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...