Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use Field with Timestamp as Eventtime

RobertRi
Communicator
‎05-07-2018 02:30 AM

Hi Community!

I have a problem with a German Timestamp Field!
I would like to extract the correct Timestamp from this field and replace it as the eventtime.
Unfortunatly monthnames are displayed at german language.

What is the best way to do that

This is my field with the timestamp

Mo Mai 07 2018 11:15:46.5650

and I would like to replace the eventtime with that timestamp

Thanks
Rob

Tags (1)
0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-07-2018 06:07 AM

Edit: Please ignore, that won't work.

I'd agree with @FrankVI and would try to fix the data, and would maybe do this during indexing (because you can most likely not change how you get the data on the source).

You should maybe look into a props.conf entry with SEDCMD, and just have 12 lines to replace each German abbreviation with the English one, and you would be done...

0 Karma
Reply

FrankVl
Ultra Champion
‎05-07-2018 06:15 AM

But would that SEDCMD be performed before Splunk does the timestamp extraction? Otherwise it is rather pointless, right?

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-07-2018 06:29 AM

You're right, my mistake, that wouldn't work...

0 Karma
Reply

FrankVl
Ultra Champion
‎05-07-2018 04:32 AM

Looks like you're not the only one who ran into this (no solution unfortunately):
https://answers.splunk.com/answers/468409/is-there-a-way-to-force-a-locale-so-that-splunk-re.html

Not directly related to index time processing of timestamps, but the search time documentation mentions that it follows the server's OS's locale setting:
http://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Commontimeformatvariables

So you might want to try sending this data through a HF that is running on an OS set to German locale.

Alternatively, you could look at defining your own timestamp processor (creating an alternative datetime.xml).

I'd probably aim at fixing this from the data source side, rather than Splunk side...

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-07-2018 03:09 AM

Ha, Mai is actually the worst example 😉
Just wondering - is the timestamp only showing the first three letters of each month, or is it showing the full month name?

0 Karma
Reply

RobertRi
Communicator
‎05-07-2018 03:49 AM

Only the first three letters.

Regards
Rob

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...