Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

extracting timestamp from multiple timestamp

mmohiuddin
Path Finder
‎02-18-2015 02:25 PM

HI

I have the following event with multiple time stamp

Feb 18 2015 16:20:00:456 host=127.XX.XXX.XX 21:20:00:456 XXXX

I need splunk to recognize timstamp from :

the following onwards

Feb 18 2015 16:20:00:456 host=127.XX.XXX.XX "21:20:00:456 XXXX"

the ones marked in " XXX"

What entry do i need to put in props.conf to achieve this.

Please let me know

Thanks

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-19-2015 09:32 AM

Use this:

TIME_PREFIX = .*?host=\d+\.\d+\.\d+\.\d+\s+\"
0 Karma
Reply

ppablo
Retired
‎02-18-2015 04:16 PM

Hi @mmohiuddin

Just to clarify for people who can help you, you want to extract the timestamp 21:20:00:456?

0 Karma
Reply

mmohiuddin
Path Finder
‎02-19-2015 05:18 AM

yes I want to extract the timestamp 21:20:00:456

0 Karma
Reply

mmohiuddin
Path Finder
‎02-19-2015 06:06 AM

This is the actual log event:

Feb 19 09:00:55 133.17.1.124 Feb 19 14:00:56 LDC-N26-SSLVPN4 AN_SQUID_LOG 1424354456.021 1 10.9.8.21 TCP_MISS/200 1670 GET /myaccess/logout.gif - DIRECT/205.145.103.151 -

It is coming from syslog event.

I need splunk to extract timestamp from

Feb 19 14:00:56 LDC-N26-SSLVPN4

onwards.

This is what I have entered in props.conf on indexer. Source is udp:514

[udp:\514]
TIME_PREFIX = \w+\s+\d+\s+\d+:\d+:\d+\s+\d+.\d+.\d+.\d+\s+
MAX_TIMESTAMP_LOOKAHEAD = 30

But even after doing that and restarting indexer, I am still not able to extract the required timestamp

Feb 19 14:00:56 LDC-N26-SSLVPN4

Please let me know what I am missing here

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎02-22-2015 08:27 PM

If time is ALWAYS exactly 5 hours off, the just make a timezone shift off the first time in the event. That would be the easiest thing to do.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...