Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract and assign a timestamp from a multiline event?

srinathd
Contributor
‎07-27-2015 02:42 AM

How to extract and assign the timestamp from the below multiline event. Timestamp exists in the 4th line from last. 

Test Log Management
Y12354.ABC
Y12354.ABCýY12354.AMýY12354.PM


LIVE
AMENDýCREATEýNEW
NavigationýNavigationýNavigation
14832 task T1455671 amended - refreshýQC14790 (Correction customer and AccountýMigration of role 256
1505081034ý1504081139ý1503171221
approvedýapprovedýapproved
1505081129ý1504081150ý1503171225















3
4
1506091724
2015_*Y12354.ABC
IN0010001
1
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-28-2015 03:07 PM

Use this in props.conf:

TiME_PREFIX = (?:[\r\n]+)(?=\d{10,}[\r\n])

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-28-2015 03:07 PM

Use this in props.conf:

TiME_PREFIX = (?:[\r\n]+)(?=\d{10,}[\r\n])
Reply
Solved! Jump to solution

srinathd
Contributor
‎07-29-2015 01:00 AM

But sometimes in the log on 10th line also we have value as "1505081034" instead of "1505081034ý1504081139ý1503171221" , but we should not consider this as timestamp. we have to assign the time which is on 30th line(1507101814) as timestamp. How to do that? Below is the sample log

Test Log Management
Y12354.ABC
Y12354.ABC


LIVE
AMEND
Navigation
14832 task T1455671 amended - refresh
1505081034
approved
1505081129















3
4
2015_*Y12354.ABC
1507101814
2015_*Y12354.ABC
IN0010001
1
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-29-2015 02:16 AM

You can tell it to always skip at least "x" lines; here is how to do it for x=15:

 TiME_PREFIX = ([^\r\n]*[\r\n]){15}.*(?:[\r\n]+)(?=\d{10,}[\r\n])
0 Karma
Reply
Solved! Jump to solution

srinathd
Contributor
‎07-29-2015 02:06 AM

I have used this.. it is working perfectly

TIME_PREFIX = (?:[\r\n]+)(?=\d{10,}[\r\n]+[\w\_\\*\d\.]*[\r\n]+[A-Z]{2}\d{7,}[\r\n]+)
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-27-2015 07:58 AM

Is 1506091724 your timestamp? Why do I see it at the top, too?

Reply
Solved! Jump to solution

srinathd
Contributor
‎07-27-2015 11:53 PM

yes. It is the timestamp. I have added it for testing purpose at the top but actually it exists at the bottom. i have modified the log.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...