Splunk Search

How to treat the concecutive numbers event ?

Contributor

Hi Splunkers,
I have some troubles to extract the field as a date.
Please help me.

I have logs like below.

20130624090015008SOMEWORDS_A20130624090016009SOMEWORDS_B
20130624090017001SOMEWORDS_C20130624090018003SOMEWORDS_D
etc....

These mean,

yyyymmddHHMMSS(milisecond) SOMEWORDS_A yyyymmddHHMMSS(milisecond) SOMEWORDS_B

One record has two dates(timeformat).
Without spliting to two events,
I want to recognize these fields as a date.
Now I configure props.conf file,

<props.conf>
[some]
EXTRACT-First_Time = (?P<First_Time>^[0-9]{14}).+
EXTRACT-Last_Time = ^.{22}(?P<Last_Time>^[0-9]{14}).+

and I search this field in search apps

First_Time="20130624090015"
→ But "No matching events found. Inspect ..." was displayed.

I also search as following.

First_Time="20130624090015*"
→ I got an objective event. 

Why does this happen ?
And I'm happy to listen to the way of recognizing the field as date other than timestamp.

Thank you.

0 Karma
1 Solution

Legend

First of all, if this is your event's main timestamp you definitely should be configuring timestamp recognition properly instead of extracting this as a field. It makes more sense and also makes it way faster to filter on. More information is available here, among other places: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition

That said, a short explanation for the problems you're seeing can be found by reading these: http://splunk-base.splunk.com/answers/61507/how-do-underscores-affect-searches
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

View solution in original post

0 Karma

Legend

First of all, if this is your event's main timestamp you definitely should be configuring timestamp recognition properly instead of extracting this as a field. It makes more sense and also makes it way faster to filter on. More information is available here, among other places: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition

That said, a short explanation for the problems you're seeing can be found by reading these: http://splunk-base.splunk.com/answers/61507/how-do-underscores-affect-searches
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

View solution in original post

0 Karma

Contributor

Thank you as always, Ayn.
By your advices, I got the answer.

INDEXED_VALUE
* Set this to false if the value is not in the raw text of the event.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!