Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Timestamp ascending
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timestamp ascending
Hello,
I have a problem concerning the timestamp of my logfiles. We want to look through a large textfile with structured values in it which looks like this:
date: 18.02.2015/ time: 13:09
filter: Moving Average 1
offset: 2,730863
tension; torsion; bending momentx; bending moment y; time; temperature
+172.107700;+0.856136;+0.000000;-4.752090;+335.291875;+23.750000
+389.506900;-1.284204;-3.573091;+1.018305;+335.292500;+23.750000
+489.148200;+0.214034;-0.922088;-4.525800;+335.293125;+23.750000
+199.282600;-0.642102;+0.115261;-3.168060;+335.293750;+23.750000
+262.690700;+1.284204;+0.922088;-2.376045;+335.294375;+23.750000
+461.973300;+0.642102;-1.267871;-3.394350;+335.295000;+23.750000
+280.807300;+0.000000;+1.383132;-2.715480;+335.295625;+23.750000
+443.856700;+0.749119;-1.383132;+2.602335;+335.296250;+23.750000
The timestamp is in fact the time that is written on top plus the seconds within each line (second last position).
Can I tell Splunk anyhow that the timestamp is in this case 13:09 + 335.xx seconds?
Thanks a lot in advance!
Toni
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot for all your answers!
I meanwhile changed the way of importing it and used a pre process outside of splunk to change the format. Now Splunk knows the right time. I till have problems with making a timechart in Milliseconds, but that is within another topic.
Again thanks for you support!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you need the timestamp for the event to be adjusted by the +335.xxx seconds? Or can you deal with the timestamp being 18.02.2015/ time: 13:09, and then do your search with some adjustments to them time where you would do something like this?:
<yoursearch> | rex "<rex-to-get-offset>" | eval real_time=_time+offset | <whatever-you-do-with-the-real_time>
This is not exact, but it gives you an IDEA of what you could do. Is this sort of search-time date creation usable for you?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think that could work for us. I give it a try!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ToniSchulz
Does your splunk, when you run a search, if you look at the predefined fields, does it pick up your timestamp?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I dont think Splunk can recognize that timestamp pattern. Instead you could use, current timestamp (supposing that your data is generated in real time)
Or maybe you could write an script to preprocess the logs, and attach a recognizable timestamp to each event or use this app https://apps.splunk.com/app/1901/ to do somethins like that.
Regards
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
