Solved: TIME FORMAT

saad_siddiqi · ‎06-09-2013

Hi,

I have got a CDR file having entires as under, and I am trying to set the RECORD_DATE as the time stamp of event.
Can any one help me out with the TIME_PREFIX regex

I have tried below mentioned but not availing anything.

TIME_PREFIX = ^(?i)|RECORD_DATE=
TIME_PREFIX = (?i)|RECORD_DATE=(?P[^|]+)

Thanks a bunch

Ayn · ‎06-10-2013

Your first won't work because you have a caret sign (^) at the beginning, meaning Splunk should look at the start of the line.

The second won't work because you've included a field extraction syntax as used by rex. This is not used at all (or supported) by TIME_FORMAT.

Also you've specified your regexes to be case insensitive through the initial (?i), you probably don't want that. It won't BREAK anything but still.

Your first TIME_PREFIX should work just fine if you remove the ^ character (and optionally, remove (?i) as well).

View solution in original post

gfuente · ‎06-10-2013

Hello

You almost got it, this one works:

TIME_PREFIX =\|RECORD_DATE=

Regards

saad_siddiqi · ‎06-10-2013

Thanks this worked

Ayn · ‎06-10-2013

Your first won't work because you have a caret sign (^) at the beginning, meaning Splunk should look at the start of the line.

The second won't work because you've included a field extraction syntax as used by rex. This is not used at all (or supported) by TIME_FORMAT.

Also you've specified your regexes to be case insensitive through the initial (?i), you probably don't want that. It won't BREAK anything but still.

Your first TIME_PREFIX should work just fine if you remove the ^ character (and optionally, remove (?i) as well).

saad_siddiqi · ‎06-10-2013

Thanks a lot for the elaborative explanation. That helped a lot

TIME FORMAT

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services