Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extrating fields with the single dates of the month?

sympatiko
Communicator
‎07-01-2015 02:46 AM

Hi Splunkers,

Im having this serious problem. Is there any way to transform or modify a log coming to a certain index?

Example: I have logs like this:

Jul 1 08:00:00 user service : example logs

I want to modify into :

07-01 08:00:00 user service : example logs

Is this possible? Im going to do log extraction for my alerting.

Thanks

Tags (2)
0 Karma
Reply

vganjare
Builder
‎07-01-2015 03:20 AM

You can try using strptime and strftime commands for formating the time. More details @

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Commontimeformatvariables
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonEvalFunctions

Thanks!!

0 Karma
Reply

sympatiko
Communicator
‎07-01-2015 03:33 AM

Hi vganjare,

Im very newbie at splunk and there are some terms that made me confused. Can you give me some sample?

Thanks

0 Karma
Reply

vganjare
Builder
‎07-01-2015 03:45 AM

Lets take this example:
Jul 1 08:00:00 ==> %b %d %H:%M:%S (refer to http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Commontimeformatvariables)

07-01 08:00:00 ==> %m-%d %H:%M:%S

Your query should look like:
...... | eval customTime = strftime(_time, "%m-%d %H:%M:%S")

Check the examples of strftime and strptime at http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonEvalFunctions

0 Karma
Reply

sympatiko
Communicator
‎07-01-2015 06:53 AM

Because I configured an alerting with field extraction. So I only notice now that Every 1-9 of the month the logs has a space between the month and the day.

Sample : Jul 1 .......

It has extra space so it causes my custom alerts to read the different parameter based on my extracted fields on my query.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...