Splunk Search

how to extract a timestamp from beginning of splunk log statement

donB
Loves-to-Learn Lots

All my log statements are of below format.

{
	"source": "stdout",
	"tag": "practice/myapplication:4444a76b917",
	"labels": {
		"pod-template-hash": "343242344",
		"version": "9216a76b917b8258a1ee6de7d3bbf9a78ca59f1f",
		"app_docker_io/instance": "my-application"
	},
	"time": "1628235185.043",
	"line": "2021-08-06T07:33:05.043Z LCS traceId=a83a082592cf2275, spanId=a83a082592cf2275 LCE [qtp310090733-278] ERROR c.p.p.c.a.ErrorHandlerAdvice.logErrorDesc(34) - ERROR RESPONSE SENT",
	"attrs": {
		"image": "practice/myapplication:4444a76b917",
		"env": "dev",
		"region": "local",
		"az": "us-west"
	}
}

 

i want to extract the timestamp from beginning of each line and sort my results based on that timestamp. I have no idea of splunk search queries. can someone help?

Labels (3)
0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @donB 

Can you share the original _raw event and highlight the timestamp required to be extracted?

0 Karma

donB
Loves-to-Learn Lots

added the raw event (json), thank you

0 Karma

venkatasri
SplunkTrust
SplunkTrust

your _time should have been mapped to "time": already. you can check that by converting it from epoch to readable format.

Alternatively try this for your requirement.

 

<your_search>
| rex "\"time\":\s+\"(?<time>[^\"]+)" 
| sort time
| convert ctime(time) as time_readable 

 

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...