Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to extract a timestamp from beginning of splunk log statement

donB
Loves-to-Learn Lots
‎08-05-2021 11:58 PM

All my log statements are of below format.

{
	"source": "stdout",
	"tag": "practice/myapplication:4444a76b917",
	"labels": {
		"pod-template-hash": "343242344",
		"version": "9216a76b917b8258a1ee6de7d3bbf9a78ca59f1f",
		"app_docker_io/instance": "my-application"
	},
	"time": "1628235185.043",
	"line": "2021-08-06T07:33:05.043Z LCS traceId=a83a082592cf2275, spanId=a83a082592cf2275 LCE [qtp310090733-278] ERROR c.p.p.c.a.ErrorHandlerAdvice.logErrorDesc(34) - ERROR RESPONSE SENT",
	"attrs": {
		"image": "practice/myapplication:4444a76b917",
		"env": "dev",
		"region": "local",
		"az": "us-west"
	}
}

 

i want to extract the timestamp from beginning of each line and sort my results based on that timestamp. I have no idea of splunk search queries. can someone help?

Labels (3)
Labels
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎08-06-2021 12:32 AM

Hi @donB 

Can you share the original _raw event and highlight the timestamp required to be extracted?

0 Karma
Reply

donB
Loves-to-Learn Lots
‎08-06-2021 12:43 AM

added the raw event (json), thank you

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎08-06-2021 01:02 AM

your _time should have been mapped to "time": already. you can check that by converting it from epoch to readable format.

Alternatively try this for your requirement.

 

<your_search>
| rex "\"time\":\s+\"(?<time>[^\"]+)" 
| sort time
| convert ctime(time) as time_readable

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...