Solved: Re: How can I propagate date+hour to each next eve...

Pharaon · ‎07-16-2018

Hi. I am a newborn splunk user. Logs come in the following format
--Format--
@@dd/mm/yyyy_HH
MMSS.msecond|Message...
....
@@dd/mm/yyyy_HH
MMSS.msecond|Message...

How can I capture date+hour and apply to each event at indexing time.
E.g. for the last message in the sample I need something like below
10/07/2018 21:48:17.112 MessageF

Or how to make Splunk recognize a timestamp properly when hour is linked to date and precise time is linked to each message?

Appreciate your help.

Pharaon · ‎07-18-2018

There is no easy way in splunk. Have to use Powershell addon with the following command for upload
Get-ChildItem '\*.log' -Recurse | Get-Content | %{if($_ -match '^@@'){$a=($_ -replace '^@@(\d{2})\/(\d{2})\/(\d{4})(\d{2})','$3-$2-$1T$4:');"$($a)00:00"}else{"$a$($ -replace '^(\d{2})(\d{2}.\d{3})', '$1:$2 ')"}}

View solution in original post

Pharaon · ‎07-18-2018

There is no easy way in splunk. Have to use Powershell addon with the following command for upload
Get-ChildItem '\*.log' -Recurse | Get-Content | %{if($_ -match '^@@'){$a=($_ -replace '^@@(\d{2})\/(\d{2})\/(\d{4})(\d{2})','$3-$2-$1T$4:');"$($a)00:00"}else{"$a$($ -replace '^(\d{2})(\d{2}.\d{3})', '$1:$2 ')"}}

CarsonZa · ‎07-16-2018

i don't think what you are after is possible. each event needs its own time stamp. The only alternative i could think of would be using indexing time as the timestamp. set up a props.conf and add the following. You would also need to setup some regex for line breaking i'm assuming which can be found in props.conf as well.

DATETIME_CONFIG = CURRENT

Logging Best Practices

How can I propagate date+hour to each next event in the log?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!