Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timestamp extraction issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
I have the following log line which has two timestamps and we need to get the SECOND one.
Mar 4 18:50:02 ids1-ecojbs-p01 access_combined: 10.142.1.109 - - [04/Mar/2013:10:50:03 -0800]
I tried using the wizard that Splunk provides and changed the setting in
Manager » Data inputs » Add data » A file or directory of files » Files & directories » Data preview, to the following
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
TIME_FORMAT=/[%d/%b/%Y:%H:%M%S]/g
But this regex does not seem to be working out
Other potential log lines (where the second timestamp needs to be extracted), look like
Mar 4 18:50:02 ids1-ecojbs-p01 syslog: 10.142.1.109 - - [04/Mar/2013:10:50:03 -0800]
Mar 4 18:50:02 ids1-ecojbs-p01 oslog: 10.142.1.109 - - [04/Mar/2013:10:50:03 -0800]
Does anybody know what else ought to be configured in the wizard ?
Does it need a TIME_PREFIX ?
All input (especially by those who know regex) is welcome !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure what the leading / and trailing /g in your TIME_FORMAT is meant to be? It seems a bit like sed syntax...
The easiest thing would be to pick a TIME_PREFIX that makes Splunk jump to the correct timestamp. From there on I'm fairly sure it will recognize the timestamp format itself. Perhaps
TIME_PREFIX = - - \[
?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure what the leading / and trailing /g in your TIME_FORMAT is meant to be? It seems a bit like sed syntax...
The easiest thing would be to pick a TIME_PREFIX that makes Splunk jump to the correct timestamp. From there on I'm fairly sure it will recognize the timestamp format itself. Perhaps
TIME_PREFIX = - - \[
?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That partly solved the problem.
I will pose my question once again (this time with more detail)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
