Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

TImestamp assignment for an event

AnithaL
New Member
‎01-31-2013 12:43 AM

Hi ,

Here is the sample log along with the line numbers mentioned ,which I am trying to upload to Splunk.

1 ) a
2 ) a1
3 ) a2
4 ) a3
5 ) a4
6 ) a5
7 ) begin script 2013-01-15 02:26:27::Status :0
8 ) Run_Job ::2013-01-15 02:26:27::pmcmd Return Code=0
9 ) Run_Job ::2013-01-15 02:26:27::Workflow wf_FF completed Successfully..
10 ) _Upd_DT_ID ::2013-01-15 02:30:14::Update Max Date in for JOB STREAM ID wf_FF
11 ) *** Warning: EOF on INPUT stream.
12 ) *** Warning: EOF on INPUT stream.
13 ) :: .ksh::2013-01-15 02:30:15::Last Extract ID/LAST Extract DATE and SOURCE_FLAT_FILE_NAME updated successfully.
14 ) *** Warning: EOF on INPUT stream.
15 ) *** Warning: EOF on INPUT stream.
16 ) ::2013-01-15 02:30:16::Completed. and updated successfully.
17 ) ::2013-01-15 02:30:16::Removing the session specific Temp file
18 ) ::2013-01-15 02:30:16::Successfully removed Temp file
19 ) ::2013-01-15 02:30:16::End processing for workflow wf_FF
20 ) ### Command completed.

For the first 6 lines splunk assigned the timestamp when it is getting indexed and for the rest it is taking from the log data.

Need the first 6 lines also merged with the second event so that it will get the timestamp from the log.

Thanks in advance.

Anitha.

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2013 01:24 AM

You may be able to coerce those first lines into the next event by fiddling with the TIME_PREFIX value in props.conf - I didn't test that for this log though, just give it a go.

0 Karma
Reply

Ayn
Legend
‎01-31-2013 02:47 AM

This might also be helpful: http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/Configuretimestamprecognition

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2013 01:32 AM

In-depth documentation is http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/ConfigurePositionalTimestampExtraction and http://docs.splunk.com/Documentation/Splunk/5.0.1/admin/Propsconf

In essence you're telling splunk where to start looking for a timestamp, you can set these either manually in props.conf or in the preview for new data inputs - the latter is likely the better option for you.

0 Karma
Reply

AnithaL
New Member
‎01-31-2013 01:28 AM

Hi

I am new to Splunk , not sure how to use TIME_PREFIX.

Regards,
Anitha

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...