Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timestamp extraction issue

asarolkar
Builder
‎03-04-2013 11:49 AM

Hi everyone,

I have the following log line which has two timestamps and we need to get the SECOND one. 

Mar  4 18:50:02 ids1-ecojbs-p01 access_combined: 10.142.1.109 - - [04/Mar/2013:10:50:03 -0800]




I tried using the wizard that Splunk provides and changed the setting in
Manager » Data inputs » Add data » A file or directory of files » Files & directories » Data preview, to the following

NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
TIME_FORMAT=/[%d/%b/%Y:%H:%M%S]/g




But this regex does not seem to be working out

Other potential log lines (where the second timestamp needs to be extracted), look like 

Mar  4 18:50:02 ids1-ecojbs-p01 syslog: 10.142.1.109 - - [04/Mar/2013:10:50:03 -0800]
Mar  4 18:50:02 ids1-ecojbs-p01 oslog: 10.142.1.109 - - [04/Mar/2013:10:50:03 -0800]



Does anybody know what else ought to be configured in the wizard ?
Does it need a TIME_PREFIX ?
All input (especially by those who know regex) is welcome !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎03-04-2013 12:20 PM

Not sure what the leading / and trailing /g in your TIME_FORMAT is meant to be? It seems a bit like sed syntax...

The easiest thing would be to pick a TIME_PREFIX that makes Splunk jump to the correct timestamp. From there on I'm fairly sure it will recognize the timestamp format itself. Perhaps

TIME_PREFIX = - - \[

?

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎03-04-2013 12:20 PM

Not sure what the leading / and trailing /g in your TIME_FORMAT is meant to be? It seems a bit like sed syntax...

The easiest thing would be to pick a TIME_PREFIX that makes Splunk jump to the correct timestamp. From there on I'm fairly sure it will recognize the timestamp format itself. Perhaps

TIME_PREFIX = - - \[

?

Reply
Solved! Jump to solution

asarolkar
Builder
‎03-04-2013 05:56 PM

That partly solved the problem.

I will pose my question once again (this time with more detail)

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...