Re: Parsing timestamp that is relative from zero f...

WiredBob · ‎03-13-2012

Hi

I'm new to Splunk and have what I think is a strange use case (maybe not!). We are capturing logs from an embedded device without a battery powered clock and therefore when booted the device has no reference to the current time. It generates logs from a time of 0 and timestamps the log events with a time offset in . e.g. 9.307.

The device does generally get a time reference quite soon after boot from NTP (if network connected) in the log, so I could pre-process the logs, parse out the time and write a valid timestamp for each event by recalculating the offset.

Does anyone have any recommendations?

Thanks

Robert

dwaddle · ‎03-13-2012

In this case, I would probably use DATETIME_CONFIG=CURRENT and just let the indexed time of the event be close enough... I am assuming you are forwarding these over the network, and they will arrive at the indexer within a few milliseconds of being created on the embedded device. If not, this will not work.

lukejadamec · ‎01-21-2014

You need a reference time - any time source will do according to its accuracy. Without a reference time you're out of luck. You need a reference time.

WiredBob · ‎03-14-2012

Thanks for the suggestion, but unfortunately these are logs we pull off the device periodically, not passed in near-real time across the network

Parsing timestamp that is relative from zero from an embedded device

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life