Splunk Search

extracting timestamp from multiple timestamp

mmohiuddin
Path Finder

HI

I have the following event with multiple time stamp

Feb 18 2015 16:20:00:456 host=127.XX.XXX.XX 21:20:00:456 XXXX

I need splunk to recognize timstamp from :

the following onwards

Feb 18 2015 16:20:00:456 host=127.XX.XXX.XX "21:20:00:456 XXXX"

the ones marked in " XXX"

What entry do i need to put in props.conf to achieve this.

Please let me know

Thanks

Tags (1)
0 Karma

woodcock
Esteemed Legend

Use this:

TIME_PREFIX = .*?host=\d+\.\d+\.\d+\.\d+\s+\"
0 Karma

ppablo
Retired

Hi @mmohiuddin

Just to clarify for people who can help you, you want to extract the timestamp 21:20:00:456?

0 Karma

mmohiuddin
Path Finder

yes I want to extract the timestamp 21:20:00:456

0 Karma

mmohiuddin
Path Finder

This is the actual log event:

Feb 19 09:00:55 133.17.1.124 Feb 19 14:00:56 LDC-N26-SSLVPN4 AN_SQUID_LOG 1424354456.021 1 10.9.8.21 TCP_MISS/200 1670 GET /myaccess/logout.gif - DIRECT/205.145.103.151 -

It is coming from syslog event.

I need splunk to extract timestamp from

Feb 19 14:00:56 LDC-N26-SSLVPN4

onwards.

This is what I have entered in props.conf on indexer. Source is udp:514

[udp:\514]
TIME_PREFIX = \w+\s+\d+\s+\d+:\d+:\d+\s+\d+.\d+.\d+.\d+\s+
MAX_TIMESTAMP_LOOKAHEAD = 30

But even after doing that and restarting indexer, I am still not able to extract the required timestamp

Feb 19 14:00:56 LDC-N26-SSLVPN4

Please let me know what I am missing here

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

If time is ALWAYS exactly 5 hours off, the just make a timezone shift off the first time in the event. That would be the easiest thing to do.

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...