I have a log file with events that start like - 2019-01-09 11:19:37 WARN
.
We ended up using TIME_FORMAT=%Y-%m-%d%t%H:%M:%S
and I don't like the %t
(tab) part.
Is there a better way to handle the white space in TIME_FORMAT
?
Just a space " "
nothing more nothing else
sometimes you will see capital T
check out this example and see
| makeresults count=1
| eval time_with_space1 = "2019-01-09 11:19:37"
| eval time_with_space2 = "2019 01 09 11:19:37"
| eval time_with_space3 = "2019-01-09T11:19:37"
| eval check_that_time_format_works1 = strftime(strptime(time_with_space1, "%Y-%m-%d %H:%M:%S"), "%c")
| eval check_that_time_format_works2 = strftime(strptime(time_with_space2, "%Y %m %d %H:%M:%S"), "%c")
| eval check_that_time_format_works3 = strftime(strptime(time_with_space3, "%Y-%m-%dT%H:%M:%S"), "%c")
hope it helps
You can use combinations of %r
, %n
, %t
and a regular space character. The numbers are not important, but the order is.
Gregg, you made my day! Thx. I didn't know %r, %n, %s. Couldn't find anything about these in https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Commontimeformatvariables.
Again, great knowledge!
Thank you @woodcock !!!
@woodcock, will a tab in the data be captured by a space in TIME_FORMAT=%Y-%m-%d %H:%M:%S
?
No, you need to use %t
.
Wow - a bit limiting ; -)
Just a space " "
nothing more nothing else
sometimes you will see capital T
check out this example and see
| makeresults count=1
| eval time_with_space1 = "2019-01-09 11:19:37"
| eval time_with_space2 = "2019 01 09 11:19:37"
| eval time_with_space3 = "2019-01-09T11:19:37"
| eval check_that_time_format_works1 = strftime(strptime(time_with_space1, "%Y-%m-%d %H:%M:%S"), "%c")
| eval check_that_time_format_works2 = strftime(strptime(time_with_space2, "%Y %m %d %H:%M:%S"), "%c")
| eval check_that_time_format_works3 = strftime(strptime(time_with_space3, "%Y-%m-%dT%H:%M:%S"), "%c")
hope it helps
Interesting, I added a couple of spaces here between and the date and the time -
| eval time_with_space1 = "2019-01-09 11:19:37"
And it still works!!!
So, the space within "%Y-%m-%d %H:%M:%S"
is stretchable, right?
My conclusion is that any combination of spaces and tabs in the data should be condensed to one space within TIME_FORMAT
. I hope it's correct.
Thank you @adonio !!!
The SE said -
You just leave a blank space;
TIME_FORMAT=%Y-%m-%d %H:%M:%S