Solved: Timestamp within event

splunklearner12 · ‎05-24-2019

My log file contains events that sometimes contain timestamp strings of other actions.
For example, an event may have occurred at 24/05/19 07:58:12.000, but the event itself contains references to when a certain action was last conducted such as "last update on 5/20/2019 12:45:09.000." .
Is it possible to still interpret those values as time values so one could for example create a graph showing all historical updates?

richgalloway · ‎05-24-2019

Yes, it's possible. First extract the string into a field then use strptime to convert it into a timestamp in epoch form. For example:

... | rex "last update on (?<lastUpdateStr>\S+\s\S+)" | eval lastUpdateTime=strptime(lastUpdateStr, "%m/%d/%Y %H:%M:%S.%3N") | ...

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-24-2019

Yes, it's possible. First extract the string into a field then use strptime to convert it into a timestamp in epoch form. For example:

... | rex "last update on (?<lastUpdateStr>\S+\s\S+)" | eval lastUpdateTime=strptime(lastUpdateStr, "%m/%d/%Y %H:%M:%S.%3N") | ...

---
If this reply helps you, Karma would be appreciated.

splunklearner12 · ‎05-27-2019

Excellent, thank you.

splunklearner12 · ‎05-28-2019

sorry I though clicking the ^ did that.

richgalloway · ‎05-28-2019

@splunklearner1234 If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.

Timestamp within event

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services