Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to take timestamp from this

gajananh999
Contributor
‎06-10-2014 01:50 AM

Dear all,

I need your help to how to remove timestamp from this field.

2014-05-19T03:25:26.000-04:00

There is TO word in this so i want to remove that and remove the last -04:00 also.

Can anybody help me on this on regular expression?

Thanks

Gajanan Hiroji

Tags (2)
0 Karma
Reply

gajananh999
Contributor
‎06-10-2014 05:11 AM

This is my log file 

Timestamp   Event
5/22/14 10:32:15.000 AM [2014-05-22T05:02:15.000+00:00] [oracle] [NOTIFICATION:1] [] [] [ecid: 00^sq] [tid: 1604]  [36007] Loading repository.

Here it show Timestamp 5/22/14 10:32:15.000 AM But the actual timestamp is 2014-05-22T05:02:15.000+00:00 which should be 5/22/14 05:02:15.000 AM exactly 5.30 hours it is increasing for all the event what may be the reason behind this?

Thanks

Gajanan Hiroji

0 Karma
Reply

lcrielaa
Communicator
‎06-10-2014 04:07 AM

Depends on what you're looking for but here's some examples:

Regex capture group for date and time

^(\d{4}-\d{2}-\d{2})T(\d{2}:\d{2}:\d{2}\.\d{3})-\d{2}:\d{2}

Splunk rex command for extracting date and time

| rex field=_raw ^(?<Date>\d{4}-\d{2}-\d{2})T(?<Time>\d{2}:\d{2}:\d{2}\.\d{3})-\d{2}:\d{2}

In props.conf, you'll want something like TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N

Also, there isn't a word "TO" in there, it's just the letter T and the zero. It's not the letter O.

Reply

gajananh999
Contributor
‎06-10-2014 05:12 AM

This is my log file 

Timestamp   Event
5/22/14 10:32:15.000 AM [2014-05-22T05:02:15.000+00:00] [oracle] [NOTIFICATION:1] [] [] [ecid: 00^sq] [tid: 1604]  [36007] Loading repository.

Here it show Timestamp 5/22/14 10:32:15.000 AM But the actual timestamp is 2014-05-22T05:02:15.000+00:00 which should be 5/22/14 05:02:15.000 AM exactly 5.30 hours it is increasing for all the event what may be the reason behind this?

Thanks

Gajanan Hiroji

0 Karma
Reply

gajananh999
Contributor
‎06-10-2014 04:26 AM

But when i try to do field extract with the same Regex it shows Regex does not extract any named fields. I tried removing last part of regex that is -\d{2}:\d{2} because it was not required for me. Am I going wrong somewhere?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...