I have a log file that has the timestamp for each line as:
Jun 10, 11:07:59.305475
Note that the year is missing - it is inferred from file name... or something...
I am good with deriving year from now()
I would like to convert it to:
Might there be a way to accomplish this when creating a field extraction?
I have had no luck with startime
Thanks for any clues!
You are defining wrong format for DateTimeStr when converting it into epoch time. Please try this:
| eval uxTimeStamp=strftime(strptime(DateTimeStr, "%Y-%m-%d %H:%M:%S.%6N"), "%Y-%m-%d %H:%M:%S:%3N")
See how your DateTimeStr value is
2019-06-06 11:10:04.307625 and as per your format in
%Y-%m-%d %H:%M:%S:%3N means you are expecting DateTimeStr to be
2019-06-06 11:10:04:307 which will result in uxTimeStamp being NULL value.
Extracted "date time string" data from log: Jun 06, 11:10:04.307625
I added a lookup table
MonthAbrv, MonthNumber Jan,01 Feb,02 Mar,03 etc.... | rex field=TimeStamp "(?<Month>\w+)" | lookup MonthStrToNum MonthAbrv as Month OUTPUT MonthNumber | rex field=TimeStamp "\w+\s(?<day>\d+)" | eval year=strftime(now(), "%Y") | rex field=TimeStamp "^.+,\s(?<Time>[\d:.]+)" | eval DateTimeStr= (year . "-". MonthNumber . "-" . day ." " . Time)
DateTimeStr: 2019-06-06 11:10:04.307625
| eval uxTimeStamp=strftime(strptime(DateTimeStr, "%Y-%m-%d %H:%M:%S:%3N"), "%Y-%m-%d %H:%M:%S:%3N")
However uxTimeStamp is NULL -- what might I have missed?
Thanks for any help
Hi @dowdag, Are you trying to achieve this using props.conf or you want to do this using a Splunk search?
What I can tell is you are already extracting timestamp using props.conf and you want to add a year to it?