Solved: Re: Timestamp extraction in multiline event

zapping575 · ‎07-27-2022

Hi all,

can somebody please give me a hand w/ this. I would like to extract the timestamp from an Event like this:

Info1:   ASDF
Info2:          QWE
Info3:          YXC
Time:                MON JAN 01 00:00:00 2022

Here is what I am using in props.conf. According to regex101, my TIME_PREFIX should be good, but it doesnt work (splunk uses the current time in the _time field). The fact that weekday and month are capitalized should not be problem.

TIME_FORMAT = %a %b %e %H:%M:%S %Y
TIME_PREFIX = ^.*\n^.*\n^.*\n^Time:\s+

gcusello · ‎07-27-2022

Hi @zapping575,

if the timestamp is the only one wit this format, you don't need to use TIME_PREFIX, but TIME_FORMAT is sufficient.

Then, if you want to use TIME_PREFIX, I'd use one more simplex:

TIME_FORMAT = %a %b %e %H:%M:%S %Y
TIME_PREFIX = Time:\s+

but remember to enable

SHOULD_LINEMERGE = True

Then, where do you located this props.conf?

it must be in the Indexers or (when present) on Heavy Forwarders.

Ciao.

Giuseppe

View solution in original post

richgalloway · ‎07-27-2022

I suspect Splunk is having a problem with the newlines in the regex. I've seen that before. Try these settings:

TIME_FORMAT = %a %b %e %H:%M:%S %Y
TIME_PREFIX = Time:\s+

---
If this reply helps you, Karma would be appreciated.

gcusello · ‎07-27-2022

Hi @zapping575,

if the timestamp is the only one wit this format, you don't need to use TIME_PREFIX, but TIME_FORMAT is sufficient.

Then, if you want to use TIME_PREFIX, I'd use one more simplex:

TIME_FORMAT = %a %b %e %H:%M:%S %Y
TIME_PREFIX = Time:\s+

but remember to enable

SHOULD_LINEMERGE = True

Then, where do you located this props.conf?

it must be in the Indexers or (when present) on Heavy Forwarders.

Ciao.

Giuseppe

zapping575 · ‎07-27-2022

Ciao @gcusello

Yes, its working!

Funnily enough, before I tried the RegEx shown in the OP, I tried one which is very close to yours, but didnt work :):

^Time:\s+

Thank you very much.

While I know that this is an off topic question, a different problem has turned up now:
The file contains a header that I cannot seem to get rid of.

I tried setting

FIELD_HEADER_REGEX = ==\[

but this again did not work. Here is the header: (notice the "==[", after which the first event begins)

Info1: qwe
Info2: asd
Info3: yxc
Info4: foo
Info5: bar
Info6: baz
Info7: fizz
Info8: buzz

==[

gcusello · ‎07-27-2022

Hi @zapping575 ,

the regex "^Time:\s+" is wrong, because the "^" means that Time is at the beginning of your event and it isn't true.

Anyway, please accept one answer for the other people of Community.

The other question is completely different so I hint to put in a new question, to be sure to have a quicker and probably better answer.

Anyway, what do you want to do: remove header or take it?

If you want to remove it , use SEDCMD command (https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/Anonymizedata)

the command you used is to identify header and have the fields list.

Ciao.

Giuseppe

gcusello · ‎07-27-2022

Hi @zapping575,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

How to extract timestamp in multiline event?

props.conf

time

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024