Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

multikv row timestamp extraction

kubowler99
New Member
‎02-25-2012 12:19 PM

I'm trying to figure out the best way to extract a time stamp (not date) from a row when using multikv.

Here's the raw data:

" AIX Net Activity for Sunday, January 1, 2012 (00:00-00:00) (1) es2p375p"

         CPU            KB       PKTS            PKT ERRS          
  ------------------ --------- --------- ------------------------- 
  %I  %K %U %W logc   I    O    I    O   In errs O errs Collisions 
  --- -- -- -- ----- ---- ---- ---- ---- ------- ------ ----------

20:00 95 4 1 0 0.40 0 0 * * * * *

18:00 95 4 1 0 0.38 0 0 * * * * *

16:00 95 4 1 0 0.38 0 0 * * * * *

14:00 94 4 1 0 0.42 0 0 * * * * *

12:00 95 4 1 0 0.41 0 0 * * * * *

10:00 95 4 1 0 0.40 0 0 * * * * *

08:00 95 4 1 0 0.41 0 0 * * * * *

06:00 86 4 5 5 0.73 0 0 * * * * *

04:00 85 5 7 3 0.95 0 0 * * * * *

02:00 93 5 1 1 0.51 0 0 * * * * *

00:24 95 3 1 0 0.36 0 0 * * * * *

--- -- -- -- ----- ---- ---- ---- ---- ------- ------ ----------
SUM: 0 0

AVG: 93 4 2 1 0.49 0 0

I've already configured the multikv.conf and props.conf files to parse the log and extract the fields properly (there are multiple tables in a single log file, one table for each day).

Splunk see's each table as a different day, but the timestamp for each event/row is always 00:00, as opposed to the time in the first field of the event row. For example, the row

20:00 95 4 1 0 0.40 0 0 * * * * *

Will have a date/time stamp of January 1, 2012 00:00, instead of January 1, 2012 20:00.

Any ideas on the best way to solve this? All suggestions are welcome. Thanks!

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎02-26-2012 07:41 PM

First, assume that the first column is extracted into a field called "T". You can calculate the full timestamp as

<yoursearch> | multikv <params> | eval timestamp = _time + strptime(T, "%H:%M") | 
fieldformat timestamp = strftime(timestamp,"%x %X") | ...

Now you can use the new field called "timestamp" instead of _time in the remainder of your command...

Reply

kubowler99
New Member
‎02-27-2012 07:08 AM

Yeah - looks like the strptime(T, "%H:%M") is being evaluated with a Month, Day, Year, in addition to the Hour:Minute, which is hosing the epochtime. For example, when I only have 'eval timestamp = strptime(T, "%H:%M"), and T="19:00", timestamp returns as February 26, 2012 19:00. This would explain why your solution returns the March 02, 2054 01:00 timestamp.

Back to the drawing board, I guess. Still working on it.

0 Karma
Reply

kubowler99
New Member
‎02-27-2012 06:54 AM

Thanks, again.

  • I don't think the above is completely accurate, as I modified the strftime to (timestamp, "%B %d, %Y %H:%M") to get the full date, and both the day and time are off. Instead of January 5, 2012 19:00, it returns March 02, 2054 01:00.

I'm assuming it's the eval statement that may need to be modified, but not sure.

0 Karma
Reply

kubowler99
New Member
‎02-27-2012 05:58 AM

Thanks, lguinn. Will give it a shot and post results.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...