Getting Data In

How to extract timestamp in multiline event?

zapping575
Explorer

Hi all,

can somebody please give me a hand w/ this. I would like to extract the timestamp from an Event like this:

 

 

 

Info1:   ASDF
Info2:          QWE
Info3:          YXC
Time:                MON JAN 01 00:00:00 2022

 

 

 

 Here is what I am using in props.conf. According to regex101, my TIME_PREFIX should be good, but it doesnt work (splunk uses the current time in the _time field). The fact that weekday and month are capitalized should not be problem.

 

 

 

TIME_FORMAT = %a %b %e %H:%M:%S %Y
TIME_PREFIX = ^.*\n^.*\n^.*\n^Time:\s+

 

 

 

 

Labels (2)
0 Karma
1 Solution

gcusello
Legend

Hi @zapping575,

if the timestamp is the only one wit this format, you don't need to use TIME_PREFIX, but TIME_FORMAT is sufficient.

Then, if you want to use TIME_PREFIX, I'd use one more simplex:

TIME_FORMAT = %a %b %e %H:%M:%S %Y
TIME_PREFIX = Time:\s+

but remember to enable 

SHOULD_LINEMERGE = True

Then, where do you located this props.conf?

it must be in the Indexers or (when present) on Heavy Forwarders.

Ciao.

Giuseppe

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

I suspect Splunk is having a problem with the newlines in the regex.  I've seen that before.  Try these settings:

TIME_FORMAT = %a %b %e %H:%M:%S %Y
TIME_PREFIX = Time:\s+
---
If this reply helps you, Karma would be appreciated.
0 Karma

gcusello
Legend

Hi @zapping575,

if the timestamp is the only one wit this format, you don't need to use TIME_PREFIX, but TIME_FORMAT is sufficient.

Then, if you want to use TIME_PREFIX, I'd use one more simplex:

TIME_FORMAT = %a %b %e %H:%M:%S %Y
TIME_PREFIX = Time:\s+

but remember to enable 

SHOULD_LINEMERGE = True

Then, where do you located this props.conf?

it must be in the Indexers or (when present) on Heavy Forwarders.

Ciao.

Giuseppe

zapping575
Explorer

Ciao @gcusello 

Yes, its working!

Funnily enough, before I tried the RegEx shown in the OP, I tried one which is very close to yours, but didnt work :):

^Time:\s+

Thank you very much.

While I know that this is an off topic question, a different problem has turned up now:
The file contains a header that I cannot seem to get rid of.

I tried setting

FIELD_HEADER_REGEX = ==\[

but this again did not work. Here is the header: (notice the "==[", after which the first event begins)

Info1: qwe
Info2: asd
Info3: yxc
Info4: foo
Info5: bar
Info6: baz
Info7: fizz
Info8: buzz

==[

 

gcusello
Legend

Hi @zapping575 ,

the regex "^Time:\s+" is wrong, because the "^" means that Time is at the beginning of your event and it isn't true.

Anyway, please accept one answer for the other people of Community.

The other question is completely different so I hint to put in a new question, to be sure to have a quicker and probably better answer.

Anyway, what do you want to do: remove header or take it?

If you want to remove it , use SEDCMD command (https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/Anonymizedata)

the command you used is to identify header and have the fields list.

Ciao.

Giuseppe

0 Karma

gcusello
Legend

Hi @zapping575,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...