How should I extract the time stamp when it appear...

ddrillic · ‎06-18-2019

We have data that comes in two different formats -

Jun 18 14:02:21 <host> DataCollector: [0x7f08f6ffd700] INFO  Metrics null - {"snapshot":[{"Syslog":{"totalBytesReceived":{"count":80535209337320,"timestamp":"20190618T140221.616466"},...

Or

Jun 18 14:02:19 <host> DataCollector: [0x7f4e0b2c1700] INFO  RevisionManager null....

I did the following which works fine for the first case, but not the second, obviously ; -)

[syslog<case>]
TRANSFORMS-host_override = host_override
LINE_BREAKER=([\r\n]+)\S+\s\d+\s\d{2}:\d{2}:\d{2}
TIME_PREFIX=\"timestamp\":\"
TIME_FORMAT=%Y%m%dT%H%M%S.%6N
MAX_TIMESTAMP_LOOKAHEAD=50
TZ = UTC
TRUNCATE=10000
SHOULD_LINEMERGE=false
disabled=false

How can I handle the second case of the log? Here there isn't any other choice besides the time stamp at the beginning of the line.

DavidHourani · ‎06-18-2019

Hi @ddrillic,

Ouch...how did you get into that hole ?

How about routing each into a different sourcetype and applying the right time format there ?

If you try to apply a match on this format : Jun 18 14:02:19 even if it's conditional it will match for both so no way out that.

Cheers,
David

ddrillic · ‎06-18-2019

I know - it's a cute one ; -)

How should I extract the time stamp when it appears in two different formats and locations?

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?