Splunk 3.4.2 is the latest version. Only use this page with older Splunk 2.0.x.
Splunk User Manual (Splunk v2.0)
Training Splunk
Timestamps
If Splunk does not recognize the timestamps in a specific source, you can train it on a sample file of those events. Type this command.
# splunk learn dates
Splunk will prompt you for a file to use, and then prompt you to identify which fields in the file's events are timetamps.
A Sample Session
In the session below, we'll train Splunk to recognize timestamps in a WebLogic output log.
# splunk learn dates ------------------------------------------------------ What operation do you want to perform? (default=learn) ------------------------------------------------------ Enter choice: [Learn]/Test/Quit > l Enter full filename from which to learn dates > /home/joe/logs/weblogic.stdout.log --------------------------------------------------------------- If a line has no timestamp, hit enter; hit control-c when done. --------------------------------------------------------------- ####<Jun 3, 2005 5:37:53 PM MDT> <Notice> <WebLogicServer> <bea03> <asiAdminServer> <WrapperStartStopAppMain> <<WLS Ker nel>> <> <BEA-000327> <Starting WebLogic Admin Server "asiAdminServer" for domain "asiDomain"> -------------------------------------------------------------------------------- Enter timestamp values as: month, day, year, hour, minute, second, ampm, timezone. >
We type in the values in the event that correspond to the above fields.
> jun, 3, 2005, 5, 37, 53, pm, mdt Learned pattern.
Splunk will continue until it finds another event whose timestamp it cannot parse.
Learned pattern. . . . . . . . Validity: [From: Thu Mar 21 13:12:27 MST 2002, -------------------------------------------------------------------------------- Enter timestamp values as: month, day, year, hour, minute, second, ampm, timezone.
The timestamp does not contain an AM/PM field, so we leave that blank.
> mar, 21, 2002, 13, 12, 27,, mst Learned pattern. ...... SerialNumber: [ 33f10648 fcde0deb 4199921f d64537f4] -------------------------------------------------------------------------------- Enter timestamp values as: month, day, year, hour, minute, second, ampm, timezone. >
This line doesn't have a timestamp, so we'll just press Enter to continue.
> 0000: 9D 26 4C 29 C8 91 C3 A7 06 C3 24 6F AE B4 F8 82 .&L)......$o.... -------------------------------------------------------------------------------- Enter timestamp values as: month, day, year, hour, minute, second, ampm, timezone. >
We've trained Splunk enough, so we'll hit Ctrl-C to exit the training.
>^C Patterns Learned. Manually add these to '/opt/splunk/etc/datetime.xml' and add pattern names to timePatterns and datePatterns. -------------------------------------------------------------------------------- <define name="weblogic_1_date" extract="litmonth,day,year,"> <text><![CDATA[#+\<(\w+)\s(\d+),\s(\d+)]]></text> </define> <define name="weblogic_1_time" extract="hour,minute,second,ampm,zone,"> <text><![CDATA[,\s\d+\s(\d+):(\d+):(\d+)\s(\w+)\s(\w+)]]></text> </define> <define name="weblogic_2_date" extract="litmonth,day,year,"> <text><![CDATA[\w:\s\w+\s(\w+)\s(\d+)\s\d+:\d+:\d+\s\w+\s(\d+)]]></text> </define> <define name="weblogic_2_time" extract="hour,ampm,minute,second,zone,"> <text><![CDATA[\w+\s\d+\s(\d+)():(\d+):(\d+)\s(\w+)]]></text> </define> ------------------------------------------------------ What operation do you want to perform? (default=learn) ------------------------------------------------------ Enter choice: [Learn]/Test/Quit > q #
To put the training into effect, we'll need to add the above lines to our datetime.xml file, as shown below.
How to Add Trained Patterns
The training session creates one or more pairs of XML defintions. Each pair has one entry named ____date and one named ____time. The example below shows our WebLogic trained patterns above added corerectly to $SPLUNK_HOME/etc/datetime.xml.
- Insert all pattern names inside the datetime tags in the file.
- Insert an entry for each ____date pattern name inside the datePatterns tags.
- Insert an entry for each ____time pattern name inside the timePatterns tags.
<!-- datetime.xml -->
<!-- This file contains the general formulas for parsing date/time formats. -->
<datetime>
<define name="weblogic_1_date" extract="litmonth,day,year,">
<text><![CDATA[#+\<(\w+)\s(\d+),\s(\d+)]]></text>
</define>
<define name="weblogic_1_time" extract="hour,minute,second,ampm,zone,">
<text><![CDATA[,\s\d+\s(\d+):(\d+):(\d+)\s(\w+)\s(\w+)]]></text>
</define>
<define name="weblogic_2_date" extract="litmonth,day,year,">
<text><![CDATA[\w:\s\w+\s(\w+)\s(\d+)\s\d+:\d+:\d+\s\w+\s(\d+)]]></text>
</define>
<define name="weblogic_2_time" extract="hour,ampm,minute,second,zone,">
<text><![CDATA[\w+\s\d+\s(\d+)():(\d+):(\d+)\s(\w+)]]></text>
</define>
<...>
<timePatterns>
<...>
<use name="weblogic_1_time:"/>
<use name="weblogic_2_time:"/>
</timePatterns>
<datePatterns>
<...>
<use name="weblogic_1_time:"/>
<use name="weblogic_2_time:"/>
</datePatterns>
</datetime>
When you have finished, restart the server and check your results as described in the Test Configuration Changes section of the Admin Manual.
No comments have been submitted.