- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to treat the concecutive numbers event ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splunkers,
I have some troubles to extract the field as a date.
Please help me.
I have logs like below.
20130624090015008SOMEWORDS_A20130624090016009SOMEWORDS_B
20130624090017001SOMEWORDS_C20130624090018003SOMEWORDS_D
etc....
These mean,
yyyymmddHHMMSS(milisecond) SOMEWORDS_A yyyymmddHHMMSS(milisecond) SOMEWORDS_B
One record has two dates(timeformat).
Without spliting to two events,
I want to recognize these fields as a date.
Now I configure props.conf file,
<props.conf>
[some]
EXTRACT-First_Time = (?P<First_Time>^[0-9]{14}).+
EXTRACT-Last_Time = ^.{22}(?P<Last_Time>^[0-9]{14}).+
and I search this field in search apps
First_Time="20130624090015"
→ But "No matching events found. Inspect ..." was displayed.
I also search as following.
First_Time="20130624090015*"
→ I got an objective event.
Why does this happen ?
And I'm happy to listen to the way of recognizing the field as date other than timestamp.
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, if this is your event's main timestamp you definitely should be configuring timestamp recognition properly instead of extracting this as a field. It makes more sense and also makes it way faster to filter on. More information is available here, among other places: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition
That said, a short explanation for the problems you're seeing can be found by reading these: http://splunk-base.splunk.com/answers/61507/how-do-underscores-affect-searches
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, if this is your event's main timestamp you definitely should be configuring timestamp recognition properly instead of extracting this as a field. It makes more sense and also makes it way faster to filter on. More information is available here, among other places: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition
That said, a short explanation for the problems you're seeing can be found by reading these: http://splunk-base.splunk.com/answers/61507/how-do-underscores-affect-searches
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you as always, Ayn.
By your advices, I got the answer.
INDEXED_VALUE
* Set this to false if the value is not in the raw text of the event.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
