Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timestamp recognition - nonstandard time field

bregan_2
New Member
‎07-05-2017 12:19 AM

Hi, I have a problem with timestamp recognition in the following logs:

The originating log source outputs records (pipe delimited) with the following as timestamps :

20170701|200009|
20170701|20009|
20170701|2009|
20170701|209|
20170701|29|
20170701|9|

As you can see, the logs do not have leading zeros if the time is for example "00:00:09 AM", the logs would output as "9"

I know how to solve this during search time by doing some evals and zeropadding and then using strptime.
However, what options do i have to solve this during INDEXING time?

Thought of doing a transform and creating a newfield however i quickly realised timestamp recognition is done before transforms.conf.

strptime only has %k for single digit HOURS, I've run out of ideas for a custom datetime.xml.
Would appreciate any help on this.

Thank you

0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎07-05-2017 08:01 AM

Try setting that sourcetype up with three different timestamp formats, in order, with the first assuming there are seconds only, the second assuming minutes and seconds, and the third assuming hours minutes and seconds. You will need to include the trailing pipe symbol into the format to make that work, so it would be something like this... 

[timeattempt1]
%Y%m%d\|%S\|

[timeattempt2]
%Y%m%d\|%M%S\|

[timeattempt3]
%Y%m%d\|%H%M%S\|
0 Karma
Reply

bregan_2
New Member
‎07-05-2017 07:20 AM

It's HHMMSS except it takes away all leading zeros if it's 000009.

0 Karma
Reply

bregan_2
New Member
‎07-05-2017 07:20 AM

It's HHMMSS except it takes away all leading zeros if it's 000009.

0 Karma
Reply

jplumsdaine22
Influencer
‎07-05-2017 07:13 AM

Do all those timestamps represent "00:00:09 AM", ? It''s not clear what they mean.

0 Karma
Reply

bregan_2
New Member
‎07-05-2017 07:21 AM

It's HHMMSS except it takes away all leading zeros. E.g 000009 would be 9.

200009 would be 20:00:09

0 Karma
Reply

jplumsdaine22
Influencer
‎07-05-2017 07:42 AM

So what is 2009 is also 20:00:09 ? Like I said it's not really clear what the rule is. Or does it strip tailing 0s as well.

And is |9 09:00:00 ?

0 Karma
Reply
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!