Splunk Search
Highlighted

How do you parse two time formats in Splunk?

Engager

The first time format is

Fri Dec 21 11:17:30 2018
the other one is 
2018-12-21T11:17:31.051061

I was wondering how i would line break this, and also, how would I format the time format to accept both times?

0 Karma
Highlighted

Re: How do you parse two time formats in Splunk?

SplunkTrust
SplunkTrust

Each unique format should be tied to a sourcetype. You create base configs that tell Splunk how to read the timestamp and break the events properly relative to the sourcetype. In theory, you write the sourcetype rules once for each log format and you tie new events to that sourcetype

0 Karma
Highlighted

Re: How do you parse two time formats in Splunk?

Engager

Yeah I know that. What I was wondering is there a way to properly format two different time formats located in one log file

0 Karma
Highlighted

Re: How do you parse two time formats in Splunk?

SplunkTrust
SplunkTrust

Well yeah.. If they are in the same log file then assuming they are of the same type, they should be in he same format. If not, then you can route them to a different sourcetype

Highlighted

Re: How do you parse two time formats in Splunk?

Legend

Use the documentation for sourcetype override. Have timestamp parsing for both sourcetypes as per your needs. While pulling data from index, pull both sourcetypes:

https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides#Example:_Assign...




| eval message="Happy Splunking!!!"


Highlighted

Re: How do you parse two time formats in Splunk?

Esteemed Legend

If a single file has more than 1 timestamp format then the developers should get a serious paddling and either split the events or pick one format and stick to it. Until that happens, you can force Splunk to look for both with a custom datetime.xml file:
https://www.splunk.com/blog/2014/04/23/its-that-time-again.html