Splunk Search

Use Field with Timestamp as Eventtime

RobertRi
Communicator

Hi Community!

I have a problem with a German Timestamp Field!
I would like to extract the correct Timestamp from this field and replace it as the eventtime.
Unfortunatly monthnames are displayed at german language.

What is the best way to do that

This is my field with the timestamp

Mo Mai 07 2018 11:15:46.5650

and I would like to replace the eventtime with that timestamp

Thanks
Rob

Tags (1)
0 Karma

xpac
SplunkTrust
SplunkTrust

Edit: Please ignore, that won't work.

I'd agree with @FrankVI and would try to fix the data, and would maybe do this during indexing (because you can most likely not change how you get the data on the source).

You should maybe look into a props.conf entry with SEDCMD, and just have 12 lines to replace each German abbreviation with the English one, and you would be done...

0 Karma

FrankVl
Ultra Champion

But would that SEDCMD be performed before Splunk does the timestamp extraction? Otherwise it is rather pointless, right?

0 Karma

xpac
SplunkTrust
SplunkTrust

You're right, my mistake, that wouldn't work...

0 Karma

FrankVl
Ultra Champion

Looks like you're not the only one who ran into this (no solution unfortunately):
https://answers.splunk.com/answers/468409/is-there-a-way-to-force-a-locale-so-that-splunk-re.html

Not directly related to index time processing of timestamps, but the search time documentation mentions that it follows the server's OS's locale setting:
http://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Commontimeformatvariables

So you might want to try sending this data through a HF that is running on an OS set to German locale.

Alternatively, you could look at defining your own timestamp processor (creating an alternative datetime.xml).

I'd probably aim at fixing this from the data source side, rather than Splunk side...

0 Karma

xpac
SplunkTrust
SplunkTrust

Ha, Mai is actually the worst example 😉
Just wondering - is the timestamp only showing the first three letters of each month, or is it showing the full month name?

0 Karma

RobertRi
Communicator

Only the first three letters.

Regards
Rob

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...