Getting Data In

Timestamp ascending

ToniSchulz
Explorer

Hello,

I have a problem concerning the timestamp of my logfiles. We want to look through a large textfile with structured values in it which looks like this:

date: 18.02.2015/ time: 13:09

filter: Moving Average 1

offset: 2,730863

tension; torsion; bending momentx; bending moment y; time; temperature

+172.107700;+0.856136;+0.000000;-4.752090;+335.291875;+23.750000
+389.506900;-1.284204;-3.573091;+1.018305;+335.292500;+23.750000
+489.148200;+0.214034;-0.922088;-4.525800;+335.293125;+23.750000
+199.282600;-0.642102;+0.115261;-3.168060;+335.293750;+23.750000
+262.690700;+1.284204;+0.922088;-2.376045;+335.294375;+23.750000
+461.973300;+0.642102;-1.267871;-3.394350;+335.295000;+23.750000
+280.807300;+0.000000;+1.383132;-2.715480;+335.295625;+23.750000
+443.856700;+0.749119;-1.383132;+2.602335;+335.296250;+23.750000

The timestamp is in fact the time that is written on top plus the seconds within each line (second last position).
Can I tell Splunk anyhow that the timestamp is in this case 13:09 + 335.xx seconds?

Thanks a lot in advance!

Toni

Tags (2)
0 Karma

ToniSchulz
Explorer

Thanks a lot for all your answers!
I meanwhile changed the way of importing it and used a pre process outside of splunk to change the format. Now Splunk knows the right time. I till have problems with making a timechart in Milliseconds, but that is within another topic.

Again thanks for you support!

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Do you need the timestamp for the event to be adjusted by the +335.xxx seconds? Or can you deal with the timestamp being 18.02.2015/ time: 13:09, and then do your search with some adjustments to them time where you would do something like this?:

<yoursearch> | rex "<rex-to-get-offset>" | eval real_time=_time+offset | <whatever-you-do-with-the-real_time>

This is not exact, but it gives you an IDEA of what you could do. Is this sort of search-time date creation usable for you?

0 Karma

ToniSchulz
Explorer

I think that could work for us. I give it a try!

0 Karma

markthompson
Builder

@ToniSchulz

Does your splunk, when you run a search, if you look at the predefined fields, does it pick up your timestamp?

0 Karma

gfuente
Motivator

Hello

I dont think Splunk can recognize that timestamp pattern. Instead you could use, current timestamp (supposing that your data is generated in real time)

Or maybe you could write an script to preprocess the logs, and attach a recognizable timestamp to each event or use this app https://apps.splunk.com/app/1901/ to do somethins like that.

Regards

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...