Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does event timestamp appear AFTER another date?

jmgilpin
New Member
‎07-28-2022 11:00 AM

This is my example log file:

-- Daily Prod Started 7/28/2022 12:36:05 PM 0.762 sec

-- BegMo='06/01/2022' 7/28/2022 12:36:05 PM 0.049 sec

-- BegDate='06/01/2022' 7/28/2022 12:36:05 PM 0 sec

-- EndDate='07/28/2022' 7/28/2022 12:36:05 PM 0 sec

-- EndMidNight='07/29/2022' 7/28/2022 12:36:05 PM 0 sec

-- Data Collection Start=7/28/2022 12:36:05 PM 7/28/2022 12:36:05 PM 0 sec

How do I pick up the timestamp on lines 2-5 - where there is a date with quotes, and lines 1 and 6, where there is not?  

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-28-2022 11:19 PM

Hi @jmgilpin,

There's only one thing that I don't understand: are you speaking of the event timestamp, or about the extraction of other fields tin date-time format?

In the first case, as @PickleRick said, you should use TIME_PREFIX and TIME_FORMAT to identify the correct timestamp.

In the second case, you should use the first as timestamp and extract the others as fields using regexes.

Ciao.

Giuseppe

0 Karma
Reply

jmgilpin
New Member
‎07-29-2022 05:41 AM

My intent was to parse the timestamp of the event - but I do not see a common set of chars to use as the prefix.  The timestamp in quotes is the value of a variable.

Fortunately, I was able to use current timestamp, so I am able to ingest the log files as they are created.

As this is a vendor log - and they are not to keen on changing the log format, current timestamp is workable.

thanks all!

James

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-29-2022 05:57 AM

Hi @jmgilpin,

if the one you shared is a sample of your logs, you could use as TIME_PREFIX the first datetime yu have:

TIME_PREFIX = ^--\s+Daily Prod\s+Started\s+
TIME_FORMAT = %m/%d/%Y %I:%M:%S %p

Ciao.

Giuseppe

:

 

0 Karma
Reply

jmgilpin
New Member
‎07-29-2022 06:12 AM

Interesting, I was treating each line as a separate entry, but treating the group of items as a single entry... that would work... will gave that a try and get back to you.

Thanks!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-29-2022 06:23 AM

Hi @jmgilpin,

good for you,

tell me if I can help you more, otherwise, please, accept one answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-28-2022 01:22 PM

Set long enough MAX_TIMESTAMP_LOOKAHEAD and define proper TIME_PREFIX which will account for all event versions.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...