how to extract a timestamp from beginning of splun...

donB · ‎08-05-2021

All my log statements are of below format.

{
	"source": "stdout",
	"tag": "practice/myapplication:4444a76b917",
	"labels": {
		"pod-template-hash": "343242344",
		"version": "9216a76b917b8258a1ee6de7d3bbf9a78ca59f1f",
		"app_docker_io/instance": "my-application"
	},
	"time": "1628235185.043",
	"line": "2021-08-06T07:33:05.043Z LCS traceId=a83a082592cf2275, spanId=a83a082592cf2275 LCE [qtp310090733-278] ERROR c.p.p.c.a.ErrorHandlerAdvice.logErrorDesc(34) - ERROR RESPONSE SENT",
	"attrs": {
		"image": "practice/myapplication:4444a76b917",
		"env": "dev",
		"region": "local",
		"az": "us-west"
	}
}

i want to extract the timestamp from beginning of each line and sort my results based on that timestamp. I have no idea of splunk search queries. can someone help?

venkatasri · ‎08-06-2021

Hi @donB

Can you share the original _raw event and highlight the timestamp required to be extracted?

donB · ‎08-06-2021

added the raw event (json), thank you

venkatasri · ‎08-06-2021

your _time should have been mapped to "time": already. you can check that by converting it from epoch to readable format.

Alternatively try this for your requirement.

<your_search>
| rex "\"time\":\s+\"(?<time>[^\"]+)" 
| sort time
| convert ctime(time) as time_readable

how to extract a timestamp from beginning of splunk log statement

field extraction

regex

rex

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!

Are you a member of the Splunk Community?