- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: multikv row timestamp extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
multikv row timestamp extraction
I'm trying to figure out the best way to extract a time stamp (not date) from a row when using multikv.
Here's the raw data:
" AIX Net Activity for Sunday, January 1, 2012 (00:00-00:00) (1) es2p375p"
CPU KB PKTS PKT ERRS
------------------ --------- --------- -------------------------
%I %K %U %W logc I O I O In errs O errs Collisions
--- -- -- -- ----- ---- ---- ---- ---- ------- ------ ----------
20:00 95 4 1 0 0.40 0 0 * * * * *
18:00 95 4 1 0 0.38 0 0 * * * * *
16:00 95 4 1 0 0.38 0 0 * * * * *
14:00 94 4 1 0 0.42 0 0 * * * * *
12:00 95 4 1 0 0.41 0 0 * * * * *
10:00 95 4 1 0 0.40 0 0 * * * * *
08:00 95 4 1 0 0.41 0 0 * * * * *
06:00 86 4 5 5 0.73 0 0 * * * * *
04:00 85 5 7 3 0.95 0 0 * * * * *
02:00 93 5 1 1 0.51 0 0 * * * * *
00:24 95 3 1 0 0.36 0 0 * * * * *
--- -- -- -- ----- ---- ---- ---- ---- ------- ------ ----------
SUM: 0 0
AVG: 93 4 2 1 0.49 0 0
I've already configured the multikv.conf and props.conf files to parse the log and extract the fields properly (there are multiple tables in a single log file, one table for each day).
Splunk see's each table as a different day, but the timestamp for each event/row is always 00:00, as opposed to the time in the first field of the event row. For example, the row
20:00 95 4 1 0 0.40 0 0 * * * * *
Will have a date/time stamp of January 1, 2012 00:00, instead of January 1, 2012 20:00.
Any ideas on the best way to solve this? All suggestions are welcome. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, assume that the first column is extracted into a field called "T". You can calculate the full timestamp as
<yoursearch> | multikv <params> | eval timestamp = _time + strptime(T, "%H:%M") |
fieldformat timestamp = strftime(timestamp,"%x %X") | ...
Now you can use the new field called "timestamp" instead of _time in the remainder of your command...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah - looks like the strptime(T, "%H:%M") is being evaluated with a Month, Day, Year, in addition to the Hour:Minute, which is hosing the epochtime. For example, when I only have 'eval timestamp = strptime(T, "%H:%M"), and T="19:00", timestamp returns as February 26, 2012 19:00. This would explain why your solution returns the March 02, 2054 01:00 timestamp.
Back to the drawing board, I guess. Still working on it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, again.
- I don't think the above is completely accurate, as I modified the strftime to (timestamp, "%B %d, %Y %H:%M") to get the full date, and both the day and time are off. Instead of January 5, 2012 19:00, it returns March 02, 2054 01:00.
I'm assuming it's the eval statement that may need to be modified, but not sure.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, lguinn. Will give it a shot and post results.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
