Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

TImestamp assignment for an event

AnithaL
New Member
‎01-31-2013 12:43 AM

Hi ,

Here is the sample log along with the line numbers mentioned ,which I am trying to upload to Splunk.

1 ) a
2 ) a1
3 ) a2
4 ) a3
5 ) a4
6 ) a5
7 ) begin script 2013-01-15 02:26:27::Status :0
8 ) Run_Job ::2013-01-15 02:26:27::pmcmd Return Code=0
9 ) Run_Job ::2013-01-15 02:26:27::Workflow wf_FF completed Successfully..
10 ) _Upd_DT_ID ::2013-01-15 02:30:14::Update Max Date in for JOB STREAM ID wf_FF
11 ) *** Warning: EOF on INPUT stream.
12 ) *** Warning: EOF on INPUT stream.
13 ) :: .ksh::2013-01-15 02:30:15::Last Extract ID/LAST Extract DATE and SOURCE_FLAT_FILE_NAME updated successfully.
14 ) *** Warning: EOF on INPUT stream.
15 ) *** Warning: EOF on INPUT stream.
16 ) ::2013-01-15 02:30:16::Completed. and updated successfully.
17 ) ::2013-01-15 02:30:16::Removing the session specific Temp file
18 ) ::2013-01-15 02:30:16::Successfully removed Temp file
19 ) ::2013-01-15 02:30:16::End processing for workflow wf_FF
20 ) ### Command completed.

For the first 6 lines splunk assigned the timestamp when it is getting indexed and for the rest it is taking from the log data.

Need the first 6 lines also merged with the second event so that it will get the timestamp from the log.

Thanks in advance.

Anitha.

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2013 01:24 AM

You may be able to coerce those first lines into the next event by fiddling with the TIME_PREFIX value in props.conf - I didn't test that for this log though, just give it a go.

0 Karma
Reply

Ayn
Legend
‎01-31-2013 02:47 AM

This might also be helpful: http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/Configuretimestamprecognition

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2013 01:32 AM

In-depth documentation is http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/ConfigurePositionalTimestampExtraction and http://docs.splunk.com/Documentation/Splunk/5.0.1/admin/Propsconf

In essence you're telling splunk where to start looking for a timestamp, you can set these either manually in props.conf or in the preview for new data inputs - the latter is likely the better option for you.

0 Karma
Reply

AnithaL
New Member
‎01-31-2013 01:28 AM

Hi

I am new to Splunk , not sure how to use TIME_PREFIX.

Regards,
Anitha

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...