Extract timestamps from event data using an Edge Processor
You can use a pipeline to extract timestamp fields and also convert those timestamps into specific formats. Extracting the Timestamp field lets you visualize events by time and convert timestamps into the appropriate format before sending it to a destination.
For example, if you have data that contains timestamps with multiple formats, you can convert the timestamp information from your data into a specific format directly from the pipeline editor. This is helpful when certain destinations require you to store timestamps using a particular format.
To convert a timestamp, you must write a SPL2 pipeline statement for extracting timestamps from your data and then convert your timestamp to normalize the data from those fields. See Extract fields from event data using an Edge Processor for more information on field extraction.
Steps
- Navigate to the Pipelines page and then select New pipeline.
- Select Blank pipeline and then select Next.
- Specify a subset of the data received by the Edge Processor for this pipeline to process. To do this, you must define a partition by completing these steps:
- Select the plus icon () next to Partition or select the option that matches how you would like to create your partition in the Suggestions section.
- In the Field field, specify the event field that you want the partitioning condition to be based on.
- To specify whether the pipeline includes or excludes the data that meets the criteria, select Keep or Remove.
- In the Operator field, select an operator for the partitioning condition.
- In the Value field, enter the value that your partition should filter by to create the subset. Then select Apply. You can create as many conditions for a partition in a pipeline by selecting the plus icon ().
- Once you have defined your partition, select Next.
- Enter or upload sample data for generating previews that show how your pipeline processes data. The sample data must contain accurate examples of the values that you want to extract into fields.
- Select the name of the destination that you want to send data to.
- (Optional) If you selected a Splunk platform S2S or Splunk platform HEC destination, you can configure index routing:
- Select one of the following options in the expanded destinations panel:
Option Description Default The pipeline does not route events to a specific index.
If the event metadata already specifies an index, then the event is sent to that index. Otherwise, the event is sent to the default index of the Splunk platform deployment.Specify index for events with no index The pipeline only routes events to your specified index if the event metadata did not already specify an index. Specify index for all events The pipeline routes all events to your specified index. - If you selected Specify index for events with no index or Specify index for all events, then in the Index name field, select or enter the name of the index that you want to send your data to.
Be aware that the destination index is determined by a precedence order of configurations. See How does an Edge Processor know which index to send data to? for more information.
- Select one of the following options in the expanded destinations panel:
- Select Done to confirm the data destination.
After you complete the on-screen instructions, the pipeline builder displays the SPL2 statement for your pipeline. - To generate a preview of how your pipeline processes data based on the sample data that you provided, select the Preview Pipeline icon ().
- Select the plus icon () from the Actions section, then select Extract fields from _raw.
- In the Extract fields from _raw dialog box, do the following:
- In the Regular expression field, specify one or more named capture groups using Regular Expression 2 (RE2) syntax. The name of the capture group determines the name of the extracted field, and the matched values determine the values of the extracted field. You can select named capture groups from the Insert from library list or enter named capture groups directly in the field.
For example, to extract timestamps from the sample events described previously, selectTimestamp_ISO8601
from the Insert from library list. The resulting regular expression looks like this: - (Optional) By default, the regular expression matches are case sensitive. To make the matches case insensitive, uncheck the Match case check box.
- Use the Events preview pane to validate your regular expression. The events in this pane are based on the last time that you generated a pipeline preview, and the pane highlights the values that match your regular expression for extraction.
- When you are satisfied with the events highlighted in the Events preview pane, select Apply to perform the timestamp extraction.
(?P<Timestamp_ISO8601>(?:\d\d){1,2}-(?:0?[1-9]|1[0-2])-(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])[T ](?:2[0123]|[01]?[0-9]):?(?:[0-5][0-9])(?::?(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?))?(?:Z|[+-](?:2[0123]|[01]?[0-9])(?::?(?:[0-5][0-9])))?)
For more information about the supported regular expression syntax, see Regular expression syntax for Edge Processor pipelines.
A
rex
command is added to the SPL2 pipeline statement, and the new field appears in theFields
list. - In the Regular expression field, specify one or more named capture groups using Regular Expression 2 (RE2) syntax. The name of the capture group determines the name of the extracted field, and the matched values determine the values of the extracted field. You can select named capture groups from the Insert from library list or enter named capture groups directly in the field.
- Convert the extracted timestamp to a different format and store it in a
_time
field by doing the following:- In the preview results panel, hover over the header of the
Timestamp_ISO8601
field and then select the Options for "Timestamp_ISO8601" icon (). Then, select Convert _time from Timestamp_ISO8601. - In the Source timestamp format field, specify the current format of the timestamps using the time variables supported in SPL2. See Using time variables in the SPL2 Search Manual for more information.
- Select Apply.
- In the preview results panel, hover over the header of the
- (Optional) After storing your event timestamps in the
_time
field, you can remove theTimestamp_ISO8601
field. To do this, add the followingfields
command to your SPL2 pipeline statement. Make sure to place this command after your field extraction and conversion expressions.| fields - Timestamp_ISO8601
- To save your pipeline, do the following:
- Select Save pipeline.
- In the Name field, enter a name for your pipeline.
- (Optional) In the Description field, enter a description for your pipeline.
- Select Save.
- To apply this pipeline to an Edge Processor, do the following:
- Navigate to the Pipelines page.
- In the row that lists your pipeline, select the Options icon () and then select Apply/Remove.
- Select the Edge Processors that you want to apply the pipeline to, and then select Save.
You can only apply pipelines to Edge Processors that have a healthy status.
It can take a few minutes for the Edge Processor service to finish applying your pipeline to an Edge Processor. During this time, all Edge Processors that the pipeline is applied to will have a Pending status. To confirm that the process completed successfully, do the following:
- Navigate to the Edge Processors page. Then, verify that the Instance health column for the affected Edge Processors shows that all instances are back in the Healthy status.
- Navigate to the Pipelines page. Then, verify that the Applied column for the pipeline contains a The pipeline is applied icon ().
You might need to refresh your browser to see the latest updates.
For example, the following sample events represent purchases made at a store at a particular time:
E9FF471F36A91031FE5B6D6228674089, 72E0B04464AD6513F6A613AABB04E701, Credit Card, 7.7, 2023-01-13 04:41:00, 2023-01-13 04:45:00, -73.997292, 40.720982, 4532038713619608 A5D125F5550BE7822FC6EE156E37733A, 08DB3F9FCF01530D6F7E70EB88C3AE5B, Credit Card,14, 2023-01-13 04:37:00, 2023-01-13 04:47:00, -73.966843,40.756741, 4539385381557252 1E65B7E2D1297CF3B2CA87888C05FE43,F9ABCCCC4483152C248634ADE2435CF0, Game Card, 16.5, 2023-01-13 04:26:00, 2023-01-13 04:46:00, -73.956451, 40.771442
A new _time
field is added to your events. This field stores the timestamp as the Unix format, but continues to display the timestamp in a human readable format. This ensures an accurate timestamp value even if you access the data from a different time zone. See the following pages for more information:
Example: Extract and convert timestamp fields and drop all other data values
Consider the following events representing purchases and the time it was made at a store:
E9FF471F36A91031FE5B6D6228674089, 72E0B04464AD6513F6A613AABB04E701, Credit Card, 7.7, 2023-01-13 04:41:00 AM, 2023-01-13 04:45:00 AM, -73.997292, 40.720982, 4532038713619608 A5D125F5550BE7822FC6EE156E37733A, 08DB3F9FCF01530D6F7E70EB88C3AE5B, Credit Card, 14, 2023-01-13 04:37:00 AM, 2023-01-13 04:47:00 AM, -73.966843,40.756741, 4539385381557252 1E65B7E2D1297CF3B2CA87888C05FE43,F9ABCCCC4483152C248634ADE2435CF0, Game Card, 16.5, 2018-01-13 04:26:00 AM, 2023-01-13 04:46:00 AM, -73.956451, 40.771442
You only want to keep the information about when the purchase was made. You want to convert the timestamp into a different format and then drop the rest of the data, which includes confidential information such as credit card numbers.
In the Extract fields from _raw dialog box, do the following:
- To extract the timestamp of the purchase into a field named
Timestamp_ISO8601
, from the Insert from library list, selectTimestamp_ISO8601.
- In the preview results panel, select the header of the
Timestamp_ISO8601
field to make the Options icon () appear. Select that icon to open the Options menu and then select Convert Timestamp_ISO8601 to update _time. - Specify a Source timestamp format from the menu and click Apply.
- (Optional) Drop the
Timestamp_ISO8601
field and only keep the_time
field that you extracted by adding the followingfields
command in the SPL2 statement of the pipeline. Make sure to place this command after the commands that are used for extracting and converting the timestamp.
| fields - Timestamp_ISO8601
After completing these steps, you'll have a pipeline with the following SPL2 statement:
$pipeline = | from $source | rex field=_raw /(?P<Timestamp_ISO8601>(?:\d\d){1,2}-(?:0?[1-9]|1[0-2])-(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])[T ](?:2[0123]|[01]?[0-9]):?(?:[0-5][0-9])(?::?(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?))?(?:Z|[+-](?:2[0123]|[01]?[0-9])(?::?(?:[0-5][0-9])))?)/ | eval _time = strptime(Timestamp_ISO8601, "%Y-%m-%d %H:%M:%S") | fields - Timestamp_ISO8601 | into $destination;
The preview results show the following timestamps from your events:
_time |
---|
8:41:00 PM
12 Jan 2023 |
8:37:00 PM
12 Jan 2023 |
8:26:00 PM
12 Jan 2023 |
Extract fields from event data using an Edge Processor | Updates to partitioning and filtering behavior in Edge Processor pipelines |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406
Feedback submitted, thanks!