Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract the timestamp from an HTML file?

tfitzgerald_col
Engager
‎12-18-2014 06:34 AM

Howdy. I'm trying to index an HTML file, and I can not, for the life of me, get the timestamp to extract when using the preview. Here's the event:

<abbr class="dt" title="2013-05-27T04:24:58.979Z">May 27, 2013, 4:24:58 AM
GMT</abbr>:
<cite class="sender vcard"><a class="tel" href="tel:+*******"><span class="fn">+**********</span></a></cite>:
<q>Yeah, I'll be there</q></div>

And here's what I'm using for settings.

TIME_FORMAT = %Y-%m-%dT%H:%M:%S
TIME_PREFIX = <abbr class="\w+" title="
MAX_TIMESTAMP_LOOKAHEAD = 19

It's just not finding the timestamp at all. Any idea why? I've tried a few other iterations, even going so far as to make the prefix <.*>, and setting the time format to match the second timestamp; still nothing. I'm getting pretty frustrated.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎12-22-2014 08:16 PM

I would avoid using any kind of tag notation within TIME_PREFIX. Have you tried just as below? 

TIME_PREFIX= title="
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%N%Z
0 Karma
Reply
Get Updates on the Splunk Community!

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top