Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does event timestamp appear AFTER another date?

jmgilpin
New Member
‎07-28-2022 11:00 AM

This is my example log file:

-- Daily Prod Started 7/28/2022 12:36:05 PM 0.762 sec

-- BegMo='06/01/2022' 7/28/2022 12:36:05 PM 0.049 sec

-- BegDate='06/01/2022' 7/28/2022 12:36:05 PM 0 sec

-- EndDate='07/28/2022' 7/28/2022 12:36:05 PM 0 sec

-- EndMidNight='07/29/2022' 7/28/2022 12:36:05 PM 0 sec

-- Data Collection Start=7/28/2022 12:36:05 PM 7/28/2022 12:36:05 PM 0 sec

How do I pick up the timestamp on lines 2-5 - where there is a date with quotes, and lines 1 and 6, where there is not?  

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-28-2022 11:19 PM

Hi @jmgilpin,

There's only one thing that I don't understand: are you speaking of the event timestamp, or about the extraction of other fields tin date-time format?

In the first case, as @PickleRick said, you should use TIME_PREFIX and TIME_FORMAT to identify the correct timestamp.

In the second case, you should use the first as timestamp and extract the others as fields using regexes.

Ciao.

Giuseppe

0 Karma
Reply

jmgilpin
New Member
‎07-29-2022 05:41 AM

My intent was to parse the timestamp of the event - but I do not see a common set of chars to use as the prefix.  The timestamp in quotes is the value of a variable.

Fortunately, I was able to use current timestamp, so I am able to ingest the log files as they are created.

As this is a vendor log - and they are not to keen on changing the log format, current timestamp is workable.

thanks all!

James

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-29-2022 05:57 AM

Hi @jmgilpin,

if the one you shared is a sample of your logs, you could use as TIME_PREFIX the first datetime yu have:

TIME_PREFIX = ^--\s+Daily Prod\s+Started\s+
TIME_FORMAT = %m/%d/%Y %I:%M:%S %p

Ciao.

Giuseppe

:

 

0 Karma
Reply

jmgilpin
New Member
‎07-29-2022 06:12 AM

Interesting, I was treating each line as a separate entry, but treating the group of items as a single entry... that would work... will gave that a try and get back to you.

Thanks!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-29-2022 06:23 AM

Hi @jmgilpin,

good for you,

tell me if I can help you more, otherwise, please, accept one answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-28-2022 01:22 PM

Set long enough MAX_TIMESTAMP_LOOKAHEAD and define proper TIME_PREFIX which will account for all event versions.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...