Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Use Field with Timestamp as Eventtime

RobertRi
Communicator
‎05-07-2018 02:30 AM

Hi Community!

I have a problem with a German Timestamp Field!
I would like to extract the correct Timestamp from this field and replace it as the eventtime.
Unfortunatly monthnames are displayed at german language.

What is the best way to do that

This is my field with the timestamp

Mo Mai 07 2018 11:15:46.5650

and I would like to replace the eventtime with that timestamp

Thanks
Rob

Tags (1)
0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-07-2018 06:07 AM

Edit: Please ignore, that won't work.

I'd agree with @FrankVI and would try to fix the data, and would maybe do this during indexing (because you can most likely not change how you get the data on the source).

You should maybe look into a props.conf entry with SEDCMD, and just have 12 lines to replace each German abbreviation with the English one, and you would be done...

0 Karma
Reply

FrankVl
Ultra Champion
‎05-07-2018 06:15 AM

But would that SEDCMD be performed before Splunk does the timestamp extraction? Otherwise it is rather pointless, right?

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-07-2018 06:29 AM

You're right, my mistake, that wouldn't work...

0 Karma
Reply

FrankVl
Ultra Champion
‎05-07-2018 04:32 AM

Looks like you're not the only one who ran into this (no solution unfortunately):
https://answers.splunk.com/answers/468409/is-there-a-way-to-force-a-locale-so-that-splunk-re.html

Not directly related to index time processing of timestamps, but the search time documentation mentions that it follows the server's OS's locale setting:
http://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Commontimeformatvariables

So you might want to try sending this data through a HF that is running on an OS set to German locale.

Alternatively, you could look at defining your own timestamp processor (creating an alternative datetime.xml).

I'd probably aim at fixing this from the data source side, rather than Splunk side...

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-07-2018 03:09 AM

Ha, Mai is actually the worst example 😉
Just wondering - is the timestamp only showing the first three letters of each month, or is it showing the full month name?

0 Karma
Reply

RobertRi
Communicator
‎05-07-2018 03:49 AM

Only the first three letters.

Regards
Rob

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...