Hi Splunkers,
I have some troubles to extract the field as a date.
Please help me.
I have logs like below.
20130624090015008SOMEWORDS_A20130624090016009SOMEWORDS_B
20130624090017001SOMEWORDS_C20130624090018003SOMEWORDS_D
etc....
These mean,
yyyymmddHHMMSS(milisecond) SOMEWORDS_A yyyymmddHHMMSS(milisecond) SOMEWORDS_B
One record has two dates(timeformat).
Without spliting to two events,
I want to recognize these fields as a date.
Now I configure props.conf file,
<props.conf>
[some]
EXTRACT-First_Time = (?P<First_Time>^[0-9]{14}).+
EXTRACT-Last_Time = ^.{22}(?P<Last_Time>^[0-9]{14}).+
and I search this field in search apps
First_Time="20130624090015"
→ But "No matching events found. Inspect ..." was displayed.
I also search as following.
First_Time="20130624090015*"
→ I got an objective event.
Why does this happen ?
And I'm happy to listen to the way of recognizing the field as date other than timestamp.
Thank you.
First of all, if this is your event's main timestamp you definitely should be configuring timestamp recognition properly instead of extracting this as a field. It makes more sense and also makes it way faster to filter on. More information is available here, among other places: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition
That said, a short explanation for the problems you're seeing can be found by reading these: http://splunk-base.splunk.com/answers/61507/how-do-underscores-affect-searches
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
First of all, if this is your event's main timestamp you definitely should be configuring timestamp recognition properly instead of extracting this as a field. It makes more sense and also makes it way faster to filter on. More information is available here, among other places: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configuretimestamprecognition
That said, a short explanation for the problems you're seeing can be found by reading these: http://splunk-base.splunk.com/answers/61507/how-do-underscores-affect-searches
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
Thank you as always, Ayn.
By your advices, I got the answer.
INDEXED_VALUE
* Set this to false if the value is not in the raw text of the event.