- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: how to take timestamp from this
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to take timestamp from this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is my log file
Timestamp Event
5/22/14 10:32:15.000 AM [2014-05-22T05:02:15.000+00:00] [oracle] [NOTIFICATION:1] [] [] [ecid: 00^sq] [tid: 1604] [36007] Loading repository.
Here it show Timestamp 5/22/14 10:32:15.000 AM But the actual timestamp is 2014-05-22T05:02:15.000+00:00 which should be 5/22/14 05:02:15.000 AM exactly 5.30 hours it is increasing for all the event what may be the reason behind this?
Thanks
Gajanan Hiroji
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depends on what you're looking for but here's some examples:
Regex capture group for date and time
^(\d{4}-\d{2}-\d{2})T(\d{2}:\d{2}:\d{2}\.\d{3})-\d{2}:\d{2}
Splunk rex command for extracting date and time
| rex field=_raw ^(?<Date>\d{4}-\d{2}-\d{2})T(?<Time>\d{2}:\d{2}:\d{2}\.\d{3})-\d{2}:\d{2}
In props.conf, you'll want something like TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N
Also, there isn't a word "TO" in there, it's just the letter T and the zero. It's not the letter O.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is my log file
Timestamp Event
5/22/14 10:32:15.000 AM [2014-05-22T05:02:15.000+00:00] [oracle] [NOTIFICATION:1] [] [] [ecid: 00^sq] [tid: 1604] [36007] Loading repository.
Here it show Timestamp 5/22/14 10:32:15.000 AM But the actual timestamp is 2014-05-22T05:02:15.000+00:00 which should be 5/22/14 05:02:15.000 AM exactly 5.30 hours it is increasing for all the event what may be the reason behind this?
Thanks
Gajanan Hiroji
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But when i try to do field extract with the same Regex it shows Regex does not extract any named fields. I tried removing last part of regex that is -\d{2}:\d{2} because it was not required for me. Am I going wrong somewhere?
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
