- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to solve the date issue and how to count the ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to solve the date issue and how to count the _raw fields from a log using time chart
Hi
I have uploaded a log contains below type of events with time stamp;
<[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'> <> b1fe329591f98bd5:-37ab5bee:13e4ebbd6e2:-8000-0000000000ae440b <1367147130834>
<[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'> <> b1fe329591f98bd5:-37ab5bee:13e4ebbd6e2:-8000-0000000000ae440b <1367147130834>
<[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'> <> b1fe329591f98bd5:-37ab5bee:13e4ebbd6e2:-8000-0000000000ae440b <1367147130835>
<[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'> <> b1fe329591f98bd5:-37ab5bee:13e4ebbd6e2:-8000-0000000000ae440b <1367147130835>
<[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'> <> b1fe329591f98bd5:-37ab5bee:13e4ebbd6e2:-8000-0000000000ae440b <1367147130835>
<[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'> <> b1fe329591f98bd5:-37ab5bee:13e4ebbd6e2:-8000-0000000000ae440b <1367147130836>
After uploading into splunk, am getting the view which contains fields _time, source, host, sourcetype,punct and _raw.
Question1) The date in log shows Apr 28 2013 11.05 but in the splunk under _time field it shows as "4/28/2013 12:55:33".How to solve this issue?
Question2) I need to count no of _raw fileds which contains data and which is blanks using the time stamp.for example at the time of Apr 28 2013 11.05, count of _raw fields having some data and count of _raw fields does not having any data or blank.How to do this?
Sorry i am not able to attach the image or screen shot of splunk view with this query since am getting error.
Please share any mail id so that i can provide sample of splunk view to understand better if need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your events actually contain two timestamps.
One is the rather clumsy one in the beginning of the event, which I believe can be problematic for Splunk to understand without specific configuration from you.
The other is the epoch timestamp further into the message. This is just a string of numbers denoting the number of seconds since midnight on Jan 1st 1970, e.g. <1367147130836> in your event above.
Either of these can be used by you, but will require some configuration of the props.conf file.
If you want to use the first timestamp, then your props would look something like this;
[your sourcetype]
TIME_PREFIX = ^<
TIME_FORMAT = %b %d,="" %Y="" %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 50
If you want to use the second timestamp, then your props would look something like this;
[your_sourcetype]
TIME_FORMAT = %s
MAX_TIMESTAMP_LOOKAHEAD = 500
If you look closely, there is a difference (in time) between the two timestamps. In your example, the first timestamp stays the same, but the epoch increases slightly.
More info to be found here;
http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
http://strftime.net/
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
Hope this helps,
Kristian
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
