Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract and assign a timestamp from a multi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srinathd
Contributor
07-27-2015
02:42 AM
How to extract and assign the timestamp from the below multiline event. Timestamp exists in the 4th line from last.
Test Log Management
Y12354.ABC
Y12354.ABCýY12354.AMýY12354.PM
LIVE
AMENDýCREATEýNEW
NavigationýNavigationýNavigation
14832 task T1455671 amended - refreshýQC14790 (Correction customer and AccountýMigration of role 256
1505081034ý1504081139ý1503171221
approvedýapprovedýapproved
1505081129ý1504081150ý1503171225
3
4
1506091724
2015_*Y12354.ABC
IN0010001
1
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-28-2015
03:07 PM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-28-2015
03:07 PM
Use this in props.conf:
TiME_PREFIX = (?:[\r\n]+)(?=\d{10,}[\r\n])
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srinathd
Contributor
07-29-2015
01:00 AM
But sometimes in the log on 10th line also we have value as "1505081034" instead of "1505081034ý1504081139ý1503171221" , but we should not consider this as timestamp. we have to assign the time which is on 30th line(1507101814) as timestamp. How to do that? Below is the sample log
Test Log Management
Y12354.ABC
Y12354.ABC
LIVE
AMEND
Navigation
14832 task T1455671 amended - refresh
1505081034
approved
1505081129
3
4
2015_*Y12354.ABC
1507101814
2015_*Y12354.ABC
IN0010001
1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-29-2015
02:16 AM
You can tell it to always skip at least "x" lines; here is how to do it for x=15:
TiME_PREFIX = ([^\r\n]*[\r\n]){15}.*(?:[\r\n]+)(?=\d{10,}[\r\n])
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srinathd
Contributor
07-29-2015
02:06 AM
I have used this.. it is working perfectly
TIME_PREFIX = (?:[\r\n]+)(?=\d{10,}[\r\n]+[\w\_\\*\d\.]*[\r\n]+[A-Z]{2}\d{7,}[\r\n]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-27-2015
07:58 AM
Is 1506091724 your timestamp? Why do I see it at the top, too?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srinathd
Contributor
07-27-2015
11:53 PM
yes. It is the timestamp. I have added it for testing purpose at the top but actually it exists at the bottom. i have modified the log.
Get Updates on the Splunk Community!
Access Tokens Page - New & Improved
Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...
Transform your security operations with Splunk Enterprise Security
Hi Splunk Community,
Splunk Platform has set a great foundation for your security operations. With the ...
