web event start time, splunk record time and endti...

cyberfan · ‎10-04-2020

Given free sample http stream data download from splunk website. I got two questions with start time, record time and endtime.

(1). is "_time" the recorded time by splunk index? how to output as "H:MM:SS" format. and "HH:MM:SS" format respectfully? example, 18:27.36.257, HH:MM:SS will be 18:27:36, H:MM:SS will be 6:27:36

(2), say, user enter hacker.com/a.js in chrome at 18:27:36, at 18:27:50, a.js start loading, 18:28:59, a.js finished execution, would splunk index capture start time, record time, endtime? what are the fields? thanks

dpitts007 · ‎10-05-2020

Please post the URL for the sample data you are referring to.

(1) Essentially _time should represent the time included within the raw audit event (when it can be determined):
https://docs.splunk.com/Documentation/Splunk/6.4.0/Data/HowSplunkextractstimestamps

You can convert _time as "H:MM:SS" format:
index=* | eval t=strftime(_time, "%I:%M:%S") | table _time, t

You can convert _time as "HH:MM:SS" format:
index=* | eval t=strftime(_time, "%H:%M:%S") | table _time, t

https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Commontimeformatvariables

Leave off the trailing pipe into table once you have confirmed that is what you wanted.

web event start time, splunk record time and endtime in http stream data

field extraction

fields

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!