Re: extracting timestamp without second

kyoungwoon · ‎09-12-2012

Hi everyone,
I'm trying to extract timestamp from following log entry.

0188010010999992012010100004+70933-008667FM-12+0009ENJA V0201001N006010021019N0030001N1+00171+00121096611ADDAA106002091AY161061AY221061GF108991081071002501999999MA1999999096501MD1710221+9999MW1611REMSYN088AAXX 01001 01001 11330 81006 10017 20012 39650 49661 57022 60021 76162 887// 333 91109;

Date information is 201201010000 in 16-27 position and it only contains YYYYMMDDHHMM, not SS. When I tried with "%Y%m%d%H%M", it always returned 2012010100004. (At the end, 4 is not the second information)
I tried with followings.

NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y%m%d%H%M
TIME_PREFIX=^\d{15}

When I tried to grab only date information using "%Y%m%d", it always returned 201201010. One more '0' at the end which should not be included. It makes problem when the hour is 11 or 12 as the day became 11th.
Why one additional digit is grabbed?

Any suggestions?
Thank you in advance.

BobM · ‎09-12-2012

Try adding

MAX_TIMESTAMP_LOOKAHEAD=12

That should force it to ignore the 13th digit.

kyoungwoon · ‎09-12-2012

I've tried, but it didn't work.

extracting timestamp without second

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation