timestamp extraction for time format with leading ...

alextsui · ‎10-13-2010

Hi, I would like to extract timestamp from events where the leading zeros of the time format are omitted. Most of the events have the time format like the example below, where Splunk is able to extract the correct time for the events to be 2010/03/22 11:59:49 pm.

20100322,235949,1=1,52=M2010032223594908434,11=192.168.99.132,2=20

However the leading zeros in the time format are omitted. For exmaple "20100322,314,..." means 2010/03/22 00:03:14 am.

Splunk extracts incorrectly for the following event sample to 2010/03/22 10:05:08 pm. The correct time for the event below should be 2010/03/22 02:20:58 am:

20100322,22058,1=1,110=250 U2M2Kv0225593 Message accepted

At the extreme end, events with 5 omitted leading zeros in the time format like 20100322,1,1=1,...., and it's timestamp should be 2010/03/22 00:00:01 am.

What's best way to extract such time format from the events? If it involves modifying the datetime.xml, please kindly provide the REGEX.

Thanks.

dwaddle · ‎10-21-2010

I'm not sure this is possible. Parsing is difficult when there is ambiguity - would a time of "1111" be 00:11:11, 11:11:00 or 01:01:01?

In my opinion, this is the type of problem where for the sake of your own sanity you are far better off to try to get the source application fixed to where it either delimits Hour, Minute, Second, Subsecond or 0-fills appropriately.

timestamp extraction for time format with leading zero omitted in the event

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life