Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Pull Timestamp from Field in Raw Data

rdschmidt
Explorer
‎07-11-2013 09:38 AM

Can anyone tell me how to configure my Props.conf to use a defined field "Event_Time" (Which is in Epoch Time) for the timestamp (_time) instead of pulling the time when the file was saved?

Currently i have this configured:

TIME_FORMAT = %b %d %H:%M:%S ctime(Event_Time)
MAX_TIMESTAMP_LOOKAHEAD = 32
TZ = US/Central

Thanks,

Riley

Tags (3)
0 Karma
Reply

ryainad
Explorer
‎07-31-2013 03:24 AM

Hi, Riley.

I have a question regarding Huawei CSOFTX3000 CDRs. What do you use to decode CDR file? I search for solution, and I found only this splunk application from dmillis. But still I dont understand how to use it to decode CDR files.

Thank you in advance.

0 Karma
Reply

ryainad
Explorer
‎08-04-2013 08:31 PM

I got this Huawei CDR sample file. But I don't know know what type of the file is it. (250 byte or 350 byte or 450 byte) Could you please tell me how to know it?

0 Karma
Reply

rdschmidt
Explorer
‎07-31-2013 09:07 AM

The above time_prefix did fix our TimeStamp issues on our AAA records. We are still working on the CSOFTX3000. The issue is we are using 450 byte CDRs and the app is built for 350 byte.

Reply

linu1988
Champion
‎07-11-2013 11:34 AM

TIME_FORMAT=%s
TIME_PREFIX= \d{7}\|\d{6}\|\d\|
MAX_TIMESTAMP_LOOKAHEAD = 10

could you try setting props.conf and index new data?

0 Karma
Reply

Ayn
Legend
‎07-11-2013 11:21 AM

http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Configuretimestamprecognition
http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps

You don't extract timestamps from fields, because field extractions happen at a much later stage (and for most fields doesn't happen at index-time at all).

I took your sample event and threw it into RegExr (http://gskinner.com/RegExr/ ) and came up with a TIME_PREFIX regex that should work for you:

TIME_PREFIX = ^(?:[^|]*\|){34}

After that you can just use "TIME_FORMAT = %s" because it's an ordinary epoch timestamp.

Reply

rdschmidt
Explorer
‎07-11-2013 10:59 AM

Here is my search : x@wireless.com | convert ctime(Event_Time) as TIME

I just want to make the TIME field automatically show up as the timestamp.

Thanks,

Riley

0 Karma
Reply

rdschmidt
Explorer
‎07-11-2013 10:59 AM

Raw Data:
213|2|0|1|0|x||x.x.x.x|x@wireless.com|0782A8FC|07784722|0|0|x.x.x.x|x.x.x.x|x.x.x.x|0083|0|0|0|59|0|0|0|0|0|2|1|3|0|0|9747835|197309|0|1373498910|2019|0|0|0|0|0|211465|0|0|10|0|0|0|0|0||10026|2|0|1|541|3539|6668|1|07784722|0|0|0|24|x|0104000102040001|875560960||0|0|0|0||1373498539||0|311650|0|0|0|0|0|0|0|0|0||0|0|0|-1||||

timestamp: 7/10/13 6:54:51.000 PM

Derived Fields:
| Event_Time=1373498910 | TIME=07/10/2013 18:28:30

0 Karma
Reply

linu1988
Champion
‎07-11-2013 10:22 AM

Please use

TIME_FORMAT=%s
TIME_PREFIX= (regex)
MAX_TIMESTAMP_LOOKAHEAD = 32

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...