Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: multikv row timestamp extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
multikv row timestamp extraction
I'm trying to figure out the best way to extract a time stamp (not date) from a row when using multikv.
Here's the raw data:
" AIX Net Activity for Sunday, January 1, 2012 (00:00-00:00) (1) es2p375p"
CPU KB PKTS PKT ERRS
------------------ --------- --------- -------------------------
%I %K %U %W logc I O I O In errs O errs Collisions
--- -- -- -- ----- ---- ---- ---- ---- ------- ------ ----------
20:00 95 4 1 0 0.40 0 0 * * * * *
18:00 95 4 1 0 0.38 0 0 * * * * *
16:00 95 4 1 0 0.38 0 0 * * * * *
14:00 94 4 1 0 0.42 0 0 * * * * *
12:00 95 4 1 0 0.41 0 0 * * * * *
10:00 95 4 1 0 0.40 0 0 * * * * *
08:00 95 4 1 0 0.41 0 0 * * * * *
06:00 86 4 5 5 0.73 0 0 * * * * *
04:00 85 5 7 3 0.95 0 0 * * * * *
02:00 93 5 1 1 0.51 0 0 * * * * *
00:24 95 3 1 0 0.36 0 0 * * * * *
--- -- -- -- ----- ---- ---- ---- ---- ------- ------ ----------
SUM: 0 0
AVG: 93 4 2 1 0.49 0 0
I've already configured the multikv.conf and props.conf files to parse the log and extract the fields properly (there are multiple tables in a single log file, one table for each day).
Splunk see's each table as a different day, but the timestamp for each event/row is always 00:00, as opposed to the time in the first field of the event row. For example, the row
20:00 95 4 1 0 0.40 0 0 * * * * *
Will have a date/time stamp of January 1, 2012 00:00, instead of January 1, 2012 20:00.
Any ideas on the best way to solve this? All suggestions are welcome. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, assume that the first column is extracted into a field called "T". You can calculate the full timestamp as
<yoursearch> | multikv <params> | eval timestamp = _time + strptime(T, "%H:%M") |
fieldformat timestamp = strftime(timestamp,"%x %X") | ...
Now you can use the new field called "timestamp" instead of _time in the remainder of your command...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah - looks like the strptime(T, "%H:%M") is being evaluated with a Month, Day, Year, in addition to the Hour:Minute, which is hosing the epochtime. For example, when I only have 'eval timestamp = strptime(T, "%H:%M"), and T="19:00", timestamp returns as February 26, 2012 19:00. This would explain why your solution returns the March 02, 2054 01:00 timestamp.
Back to the drawing board, I guess. Still working on it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, again.
- I don't think the above is completely accurate, as I modified the strftime to (timestamp, "%B %d, %Y %H:%M") to get the full date, and both the day and time are off. Instead of January 5, 2012 19:00, it returns March 02, 2054 01:00.
I'm assuming it's the eval statement that may need to be modified, but not sure.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, lguinn. Will give it a shot and post results.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
