I am feeding a log event into Splunk that has a julian date and a time that consists of seconds since midnight:
2455814 44709 192.168.186.211 P19135 155018519 28632 0 ABCDE/NT RETRIEVE 32 99999
The first value is the julian date, the second is the seconds since midnight.
How can I configure Splunk to understand the date or timestamp in this case?
asked 09 Sep '11, 11:25
I'm afraid your only hope here would be if you were able to specify such exotic time annotations as "julian date" or "seconds since midnight" as a strptime() function in TIME_FORMAT.
And from what I can see, that's just not an available option. I would encourage you to open an enhancement request if you would like this to be supported. Please make sure to include a log sample!
Someone pointed out to me that the number given in my example is the Julian Date Number (JDN), not the Julian Date. There is a slight difference between the two as the JDN truncates the effective date and the variant is set to noon GMT. There is a specific formula to express this in UNIX time. Unfortunately, that part requires math and I don't believe there is a way, currently, to use a transform to modify the indexing date field on the fly so until the product is enhanced to handle this case, it will not be possible to recognize an MJD automatically.
However, it CAN be done at search time using the following formula:
Here are the extractions:
EXTRACT-jdn = (?i)^(?P<jdn>[^ ]+) EXTRACT-ssm = (?i)^[^ ]* (?P<ssm>[^ ]+)
And here is a sample search:
sourcetype="test" | eval uepoch = ((jdn - 2440587.5) * (60 * 60 * 24)) - (60 * 60 * 12) + ssm | eval logdate = strftime(uepoch,"%c %Z")
answered 12 Sep '11, 06:06