Getting Data In

Trying to extract timestamp from json field

cblanton
Communicator

One of the fields being indexed is formatted xx-xx-xxxxx_xx_xx-xx-20ww04c and various other strings always ending with year, week of the year and version, ie a=1, b=2, c=3.

I'm testing this through the Add Data UI which has the Advanced options to provide Timestamp format, Timestamp prefix, and Lookahead.

I'm trying these for the first two values, but it's obviously not correct:

Timestamp format: %yww%Vc
Timestamp prefix: (?<_time>\w{7})$

Thanks for any help

0 Karma

to4kawa
Ultra Champion
| makeresults
| eval time=strftime(_time,"%yww%Vc")
| fieldformat _time=strftime(_time,"%yww%Vc")
| eval check=strptime(time,"%yww%Vc")

wow, It can't be extracted.
| noop search_optimization=false it can't work.

0 Karma

abhinav_bel
Loves-to-Learn Lots

Hi ,

 

I am able to get at search time what I want but unable to achieve at index time

My timestamp in data looks like: 2020-07-02T18:00:18+02:00 with name log_modified_date.

i have written below props.conf:

[_json]
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = last_modified_date
TIME_FORMAT = %Y-%m-%dT%H:%M:%S+%2N:%2N
MAX_TIMESTAMP_LOOKAHEAD = 25

 

 

and getting time extracted as : 

7/2/20
6:00:18.020 PM

 

 

I want the time field extracted in same way as in data with + value as well like: 

 7/2/20
6:00:18+02:00 PM    something like this

Please let me know what i am doing wrong as i am not getting expected output.

0 Karma

to4kawa
Ultra Champion

 

 

0 Karma

abhinav_bel
Loves-to-Learn Lots

This timeformat will not work , with adding %:z it will just convert time as per timezone .

I hv already tried what you suggested.

As i said i want time as it is with + value mentioned.

Note +02:00 is fixed with each timestamp in events.

So in case if we can’t get in timeformat ,can we add explicitly at index time.

Pls suggest.

And i have to use time format because there is 1 more time field in data which splunk detecting automatically.

0 Karma

to4kawa
Ultra Champion
 
0 Karma

abhinav_bel
Loves-to-Learn Lots

Hi @to4kawa  ,

is 2020-07-02T18:02:18 ? - No it doesn't mean

I want +02:00 value separately only along with time:

7/2/20
6:00:44+02:00 PM             
like this i want in _time.

Please help me getting this and as I told earlier that +02:00 value is fixed with each timestamp so you can leverage of adding hardcore as well, i won't mind just output should be same.

Thanks

0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? &#x1f680; We invite you to join our elite squad ...