- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timestamp extraction for varying subseconds and time zones?
ankithreddy777
Contributor
09-07-2018
09:55 AM
How do you extract a timestamp from message having
event1: Timestamp:2018-09-06T00:00:11.214000000, Timezone:UTC
event2: Timestamp:2018-09-06T00:00:11.214, Timezone:CST
where sub seconds can be milliseconds or nano seconds which vary and time zone can be any string like UTC,CST etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/ee363/ee363a3b13d1ba2aa2acf742cced94fdfa5e2ef1" alt="adonio adonio"
adonio
Ultra Champion
09-07-2018
10:57 AM
looks like splunk can handle it,
try below props.conf
[odd_timestamp]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%9N, Timezone:%Z
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=48
worked for me,
see screenshot below:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sudosplunk
Motivator
09-07-2018
10:05 AM
If you have multiple timestamp formats in single log file, then try configuring datetime.xml. Refer to below docs for more information.
http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Configuredatetimexml
https://www.splunk.com/blog/2014/04/23/its-that-time-again.html
data:image/s3,"s3://crabby-images/d7f73/d7f73632dd731f9b3dd280d9d048df61ba67932c" alt=""