how to extract a timestamp from beginning of splun...

donB · ‎08-05-2021

All my log statements are of below format.

{
	"source": "stdout",
	"tag": "practice/myapplication:4444a76b917",
	"labels": {
		"pod-template-hash": "343242344",
		"version": "9216a76b917b8258a1ee6de7d3bbf9a78ca59f1f",
		"app_docker_io/instance": "my-application"
	},
	"time": "1628235185.043",
	"line": "2021-08-06T07:33:05.043Z LCS traceId=a83a082592cf2275, spanId=a83a082592cf2275 LCE [qtp310090733-278] ERROR c.p.p.c.a.ErrorHandlerAdvice.logErrorDesc(34) - ERROR RESPONSE SENT",
	"attrs": {
		"image": "practice/myapplication:4444a76b917",
		"env": "dev",
		"region": "local",
		"az": "us-west"
	}
}

i want to extract the timestamp from beginning of each line and sort my results based on that timestamp. I have no idea of splunk search queries. can someone help?

venkatasri · ‎08-06-2021

Hi @donB

Can you share the original _raw event and highlight the timestamp required to be extracted?

donB · ‎08-06-2021

added the raw event (json), thank you

venkatasri · ‎08-06-2021

your _time should have been mapped to "time": already. you can check that by converting it from epoch to readable format.

Alternatively try this for your requirement.

<your_search>
| rex "\"time\":\s+\"(?<time>[^\"]+)" 
| sort time
| convert ctime(time) as time_readable

how to extract a timestamp from beginning of splunk log statement

field extraction

regex

rex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!