Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

TIME_PREFIX

shangshin
Builder
‎05-30-2012 07:27 AM

I have an autosys log with 4 columns (JobName|Start|End|Status) and would like to add them in splunk.

Check_Job|05/22/2012 02:09:17|05/22/2012 02:09:18|SUCCESS
Extract_Job|05/22/2012 03:09:17|05/22/2012 03:09:18|SUCCESS
Database_Job|05/22/2012 02:09:17||RUNNING

Two questions --

  1. How can I set the primary event time to be end time (column 3)? Can I use TIME_PREFIX=\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}
  2. Is it possible to set a secondary event time?
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎05-30-2012 07:46 AM

This link has an example that I included on your previous question. Splunk will only use one timestamp to represent the event time.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Configurepositionaltimestampextraction

Once you get the regex ok for the TIME_PREFIX you will also need to set MAX_TIMESTAMP_LOOKAHEAD. In this case i think set it to 50.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎05-30-2012 07:46 AM

This link has an example that I included on your previous question. Splunk will only use one timestamp to represent the event time.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Configurepositionaltimestampextraction

Once you get the regex ok for the TIME_PREFIX you will also need to set MAX_TIMESTAMP_LOOKAHEAD. In this case i think set it to 50.

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎05-30-2012 08:58 AM

not sure if those will apply to anything other than the indexed _time for the event but i'm not sure exactly what you are referencing. You can caluculate the time now() in epoch time and do conversions i think...just not as elegant a solution. http://splunk-base.splunk.com/answers/117/how-do-i-get-the-current-time

0 Karma
Reply
Solved! Jump to solution

shangshin
Builder
‎05-30-2012 08:54 AM

relative_time will do the magic. I am good. thanks!

0 Karma
Reply
Solved! Jump to solution

shangshin
Builder
‎05-30-2012 08:50 AM

Let me rephrase. Is there any function like this?

index=gops STATUS=closed | eval close_date=strptime(CLOSE_DATE,"%m/%d/%y %H:%M") | where close_date>datediff (@now, -30m)

0 Karma
Reply
Solved! Jump to solution

shangshin
Builder
‎05-30-2012 08:39 AM

This is not a bad solution. Is it possible to use relative time for the function strptime? (e.g. -30m or -2h)
The reason I am asking this is because I need to set up an alert and using a specific time won't be feasible.

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎05-30-2012 07:56 AM

Yes, that makes it more challenging. I think this is what you were looking for...manipulating the second date field anyways and leaving the current time stamp as is.

http://splunk-base.splunk.com/answers/4249/searching-mulitple-time-fields-within-a-record

Reply
Solved! Jump to solution

shangshin
Builder
‎05-30-2012 07:53 AM

The string length of the first column, job name, is between 3 - 60 characters. How can I be sure splunk won't pick start time as the event time knowing the timestamp format of start and end time is identical?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...