A colleague was tying to use Splunk to ingest a log file with a unusual date/time format.
- The DATE of the event is dd/mm/yyyy and always includes midnight 00:00:00 as part of the date.
- The actual TIME of the event is hhmm. There is no separator or seconds (ss).
- The Event Type is not a fixed value.
- The System Is not fixed value.
It does not seem possible to extract the Date and Time using TIME_PREFIX, TIME_FORMAT etc in props.conf as the Date Of Event and Time Of Event are separated by variable text and further compounded by the fact that Date Of Event is followed by something that could be taken as a time stamp.
The thought was that a regex could be key to a successful date/time extraction but it does not see possible use a regex with TIME_FORMAT as this only takes strptime
An example of the log file is shown below.
my_custom_log.log
Date Of Event: 01/10/2017 00:00:00 Event: Fan Fail System: az12 Time Of Event: 0150
Date Of Event: 02/10/2017 00:00:00 Event: CPU Fail System: az13 Time Of Event: 1400
Date Of Event: 03/10/2017 00:00:00 Event: Fan Fail System: az12 Time Of Event: 1300
Date Of Event: 04/10/2017 00:00:00 Event: Port Fail System: az14 Time Of Event: 0001
Date Of Event: 05/10/2017 00:00:00 Event: Fan Fail System: az13 Time Of Event: 1730
Date Of Event: 06/10/2017 00:00:00 Event: Disk Fail System: az09 Time Of Event: 2001
Date Of Event: 07/10/2017 00:00:00 Event: Interface Fail System: az12 Time Of Event: 0150
Date Of Event: 08/10/2017 00:00:00 Event: Interface Fail System: az12 Time Of Event: 1030
Date Of Event: 09/10/2017 00:00:00 Event: Port Fail System: az12 Time Of Event: 0800
Date Of Event: 10/10/2017 00:00:00 Event: Fan Fail System: az12 Time Of Event: 0720
↧