Hello,
I have a problem when I want to extract the timestamp from an event in adding data to Splunk.
Here is a sample event :
<LOG>
<DATE>12022012</DATE>
<TIME>004459</TIME>
<EventID>131</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>33</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000004</Keywords>
<EventRecordID>7150639</EventRecordID>
<Correlation />
</LOG>
I matched the timestamp prefix with this regex: \s*(?=\d{8}<\/DATE>\s*\d{6})
But I have a problem with the timestamp format because the Date and Time are not in the same line.
However, if the Date and Time were in the same line, Splunk can recognize the timestamp with this configuration:
Timestamp prefix : \s*(?=\d{8}<\/DATE>\s*\d{6})
Timestamp format : %d%m%Y%H%M%S
I really appreciate any help you can provide.
... View more