×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
John85
Explorer
Member since: ‎03-06-2022
‎03-08-2022
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎03-06-2022
View All

Re: Regex Extractions

by in Splunk Search
‎03-07-2022 01:46 AM
‎03-07-2022 01:46 AM
Thank you, that solution worked, it didn't cross my mind to use a conditional statement in the prefix. ... View more

Re: Regex Extractions

by in Splunk Search
‎03-07-2022 12:45 AM
‎03-07-2022 12:45 AM
Hello, If I use MAX_TIMESTAMP_LOOKAHEAD=98, SPlunk only identifies the date from the "ExportScheduler...." line,  normally since I consider the \s  as the TIME_PREFIX, the lookahead shoud only be 12 ( the lenght of the time from the event ) but this doesn't work. The full sourcetype is: [<SOURCETYPE NAME>] CHARSET=UTF-8 LINE_BREAKER=([\r\n]+).*(?:[^ \n]* )*\s(?<time>\d{2}\:\d{2}\:\d{2}\,\d{3}) MAX_TIMESTAMP_LOOKAHEAD=98 NO_BINARY_CHECK=true SHOULD_LINEMERGE=true category=Custom disabled=false pulldown_type=true TIME_PREFIX=\s ... View more

Re: Regex Extractions

by in Splunk Search
‎03-07-2022 12:01 AM
‎03-07-2022 12:01 AM
Hello, Thank you for the reply. I don't use Splunk Web to define the sourcetype, I create it manually. I also define (when I write the props manually) the timestamp format (in this case %H:%M:%S,%3N as you mentioned) and also the prefix (which in this case I consider it to be \s ). I also use the LOOKAHEAD param but without any success. But given the fact that my timestamp is at two different points in the two events which can be found in the same log, Splunk isn't able to extract properly the time, I suspect because the regex I use to identify what is in front of the timestamp, is not OK and it does not help Splunk. If I don't enter the time format it's able to identify the time but when I input the format, the parsing breaks with the mentioned error. ... View more

How to extract the time from the following two eve...

by in Splunk Search
‎03-06-2022 03:04 PM
‎03-06-2022 03:04 PM
Hello, This is my very first post here and I need some advice because I've been trying for a couple of hours to extract the time from the following two events (taken from the same log) and build a proper sourcetype, but I couldn't find a solution: ABIT Stack Job [DBS: ABITNET] ABIT_Outbound[extern] (not exclusive, scheduler) (818209397) 08:59:07,602 *** Threads: 2 ExportScheduler [Node http://127.0.0.1:8080/abitnet]-Thread-18727 08:59:07,622 [fmI9CashFlowArch]Export fmI9CashFlowArch wird ausgeführt... Using regex101 I've gotten .*(?:[^ \n]* )*\s(?<time>\d{2}\:\d{2}\:\d{2}\,\d{3}) but when I try to define a sourcetype, the parsing breaks with "Failed to parse timestamp". The problem is most likely the fact that the timestamp is at a different position in the two events. Do you have any ideas? Thank you. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-08-2022 11:39 AM
Karma given to
View All