Splunk recognizing Julian Date and Elapsed Seconds

I am feeding a log event into Splunk that has a julian date and a time that consists of seconds since midnight:

2455814 44709 192.168.186.211 P19135 155018519 28632 0 ABCDE/NT RETRIEVE 32 99999

The first value is the julian date, the second is the seconds since midnight.

How can I configure Splunk to understand the date or timestamp in this case?

asked 09 Sep '11, 11:25

maverick ♦
2.8k●40●21●107
accept rate: 14%

2 Answers:

oldest newest most voted

I'm afraid your only hope here would be if you were able to specify such exotic time annotations as "julian date" or "seconds since midnight" as a strptime() function in TIME_FORMAT.

And from what I can see, that's just not an available option. I would encourage you to open an enhancement request if you would like this to be supported. Please make sure to include a log sample!

link

answered 09 Sep '11, 14:06

hexx ♦
13.6k●9●15●68
accept rate: 56%

edited 09 Sep '11, 15:14

I see the following post in a splunk forum back in 2006:

http://www.splunk.com/support/forum:SplunkGeneral/55

Tbe last comment is - :

3 posted by: cfrln | posts date: February 7, 2006 permalink We have the samples here at Splunk and will be resolving the bug in recognizing Julian dates in our next minor release. Thanks MaryAnn for raising the issue.

Anyone know if Splunk can translate Julian dates now and if so what the notation or TIME_FORMAT might be?

(09 Sep '11, 14:12) twstanley

The closest thing I can think of that is supported in TIME_FORMAT is : %j : The day number in the year (1-366). I think the post you found refers to SPL-1866 for which the recognition of ordinal dates (some combination of year and number of days elapsed since Jan 1st : something like %y%j in strptime annotation) was implemented in Splunk. There appears to be occasional confusion between the two concepts.

(09 Sep '11, 14:31) hexx ♦

Someone pointed out to me that the number given in my example is the Julian Date Number (JDN), not the Julian Date. There is a slight difference between the two as the JDN truncates the effective date and the variant is set to noon GMT. There is a specific formula to express this in UNIX time. Unfortunately, that part requires math and I don't believe there is a way, currently, to use a transform to modify the indexing date field on the fly so until the product is enhanced to handle this case, it will not be possible to recognize an MJD automatically.

However, it CAN be done at search time using the following formula:

UNIX Time = { (Julian Date Number <a field extraction> – Unix Epoch <expressed in Julian Date Number notation>) * seconds in a day – Julian Date Number GMT Offset <expressed in seconds> } + Number of seconds since midnight <a field extraction>

Here are the extractions:

EXTRACT-jdn = (?i)^(?P<jdn>[^ ]+)
EXTRACT-ssm = (?i)^[^ ]* (?P<ssm>[^ ]+)

And here is a sample search:

sourcetype="test" | eval uepoch = ((jdn - 2440587.5) * (60 * 60 * 24)) - (60 * 60 * 12) + ssm | eval logdate = strftime(uepoch,"%c %Z")

link

answered 12 Sep '11, 06:06

maverick ♦
2.8k●40●21●107
accept rate: 14%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

indexing ×465
timestamp ×262
datetime ×28
juliandate ×2
mjd ×1

Asked: 09 Sep '11, 11:25

Seen: 859 times

Last updated: 12 Sep '11, 06:06

Splunk recognizing Julian Date and Elapsed Seconds

Follow this question

Splunk Resources

Related questions