Splunk Search

how to solve the date issue and how to count the _raw fields from a log using time chart

balajsoz
Path Finder

Hi

I have uploaded a log contains below type of events with time stamp;

<[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'> <> b1fe329591f98bd5:-37ab5bee:13e4ebbd6e2:-8000-0000000000ae440b <1367147130834>

<[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'> <> b1fe329591f98bd5:-37ab5bee:13e4ebbd6e2:-8000-0000000000ae440b <1367147130834>

<[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'> <> b1fe329591f98bd5:-37ab5bee:13e4ebbd6e2:-8000-0000000000ae440b <1367147130835>

<[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'> <> b1fe329591f98bd5:-37ab5bee:13e4ebbd6e2:-8000-0000000000ae440b <1367147130835>

<[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'> <> b1fe329591f98bd5:-37ab5bee:13e4ebbd6e2:-8000-0000000000ae440b <1367147130835>

<[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'> <> b1fe329591f98bd5:-37ab5bee:13e4ebbd6e2:-8000-0000000000ae440b <1367147130836>

After uploading into splunk, am getting the view which contains fields _time, source, host, sourcetype,punct and _raw.
Question1) The date in log shows Apr 28 2013 11.05 but in the splunk under _time field it shows as "4/28/2013 12:55:33".How to solve this issue?
Question2) I need to count no of _raw fileds which contains data and which is blanks using the time stamp.for example at the time of Apr 28 2013 11.05, count of _raw fields having some data and count of _raw fields does not having any data or blank.How to do this?

Sorry i am not able to attach the image or screen shot of splunk view with this query since am getting error.

Please share any mail id so that i can provide sample of splunk view to understand better if need.

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

Your events actually contain two timestamps.

One is the rather clumsy one in the beginning of the event, which I believe can be problematic for Splunk to understand without specific configuration from you.

The other is the epoch timestamp further into the message. This is just a string of numbers denoting the number of seconds since midnight on Jan 1st 1970, e.g. <1367147130836> in your event above.

Either of these can be used by you, but will require some configuration of the props.conf file.

If you want to use the first timestamp, then your props would look something like this;

[your sourcetype]
TIME_PREFIX = ^<
TIME_FORMAT = %b %d,="" %Y="" %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 50

If you want to use the second timestamp, then your props would look something like this;

[your_sourcetype]
TIME_FORMAT = %s
MAX_TIMESTAMP_LOOKAHEAD = 500

If you look closely, there is a difference (in time) between the two timestamps. In your example, the first timestamp stays the same, but the epoch increases slightly.

More info to be found here;
http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
http://strftime.net/
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

Hope this helps,

Kristian

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...