Splunk Search

How to treat the concecutive numbers event ?

sunrise
Contributor

Hi Splunkers,
I have some troubles to extract the field as a date.
Please help me.

I have logs like below.

20130624090015008SOMEWORDS_A20130624090016009SOMEWORDS_B
20130624090017001SOMEWORDS_C20130624090018003SOMEWORDS_D
etc....

These mean,

yyyymmddHHMMSS(milisecond) SOMEWORDS_A yyyymmddHHMMSS(milisecond) SOMEWORDS_B

One record has two dates(timeformat).
Without spliting to two events,
I want to recognize these fields as a date.
Now I configure props.conf file,

<props.conf>
[some]
EXTRACT-First_Time = (?P<First_Time>^[0-9]{14}).+
EXTRACT-Last_Time = ^.{22}(?P<Last_Time>^[0-9]{14}).+

and I search this field in search apps

First_Time="20130624090015"
→ But "No matching events found. Inspect ..." was displayed.

I also search as following.

First_Time="20130624090015*"
→ I got an objective event. 

Why does this happen ?
And I'm happy to listen to the way of recognizing the field as date other than timestamp.

Thank you.

0 Karma
1 Solution

Ayn
Legend

First of all, if this is your event's main timestamp you definitely should be configuring timestamp recognition properly instead of extracting this as a field. It makes more sense and also makes it way faster to filter on. More information is available here, among other places: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition

That said, a short explanation for the problems you're seeing can be found by reading these: http://splunk-base.splunk.com/answers/61507/how-do-underscores-affect-searches
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

View solution in original post

0 Karma

Ayn
Legend

First of all, if this is your event's main timestamp you definitely should be configuring timestamp recognition properly instead of extracting this as a field. It makes more sense and also makes it way faster to filter on. More information is available here, among other places: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition

That said, a short explanation for the problems you're seeing can be found by reading these: http://splunk-base.splunk.com/answers/61507/how-do-underscores-affect-searches
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

0 Karma

sunrise
Contributor

Thank you as always, Ayn.
By your advices, I got the answer.

INDEXED_VALUE
* Set this to false if the value is not in the raw text of the event.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...