|
I have an autosys log with 4 columns (JobName|Start|End|Status) and would like to add them in splunk. Two questions --
|
|
This link has an example that I included on your previous question. Splunk will only use one timestamp to represent the event time. http://docs.splunk.com/Documentation/Splunk/latest/Data/Configurepositionaltimestampextraction Once you get the regex ok for the TIME_PREFIX you will also need to set MAX_TIMESTAMP_LOOKAHEAD. In this case i think set it to 50. The string length of the first column, job name, is between 3 - 60 characters. How can I be sure splunk won't pick start time as the event time knowing the timestamp format of start and end time is identical?
(30 May '12, 07:53)
shangshin
1
Yes, that makes it more challenging. I think this is what you were looking for...manipulating the second date field anyways and leaving the current time stamp as is. http://splunk-base.splunk.com/answers/4249/searching-mulitple-time-fields-within-a-record
(30 May '12, 07:56)
sdaniels ♦
This is not a bad solution. Is it possible to use relative time for the function strptime? (e.g. -30m or -2h) The reason I am asking this is because I need to set up an alert and using a specific time won't be feasible.
(30 May '12, 08:39)
shangshin
Let me rephrase. Is there any function like this? index=gops STATUS=closed | eval close_date=strptime(CLOSE_DATE,"%m/%d/%y %H:%M") | where close_date>datediff (@now, -30m)
(30 May '12, 08:50)
shangshin
relative_time will do the magic. I am good. thanks!
(30 May '12, 08:54)
shangshin
not sure if those will apply to anything other than the indexed _time for the event but i'm not sure exactly what you are referencing. You can caluculate the time now() in epoch time and do conversions i think...just not as elegant a solution. http://splunk-base.splunk.com/answers/117/how-do-i-get-the-current-time
(30 May '12, 08:58)
sdaniels ♦
showing 5 of 6
show 1 more comments ▼
|
