在splunk索引数据时,会对数据进行一些自动的解析和提取,比如帮我们提取原始log里的日期,也会对某些格式的数据进行合并,将多行的数据合并为一条记录存储在splunk中,而这些自动提取的过程有时并不符合我们真实的业务逻辑,所以需要我们自己去配置;或者对于有些格式的数据,splunk自己也无法判断如何处理时可能就会出现各种解析错误。下面是总结的一些常见日期格式的格式化配置:
[case1]
#Event coming at Sat Jul 23 22:50:54 EDT 2022
TIME_FORMAT=%a %b %d %H:%M:%S %Z %Y
TIME_PREFIX=Event coming at
[case2]
#event中没有日期类型的
DATETIME_CONFIG=CURRENT
[case3]
#2022-07-26 05:35:36,456 INFO The event is coming.
#Please check event detials
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
LINE_BREAKER=([rn]+)d{4}-d{2}-d{2}sd{2}:d{2}:d{2},d{3}s
#如果event在合并时将多行log合并了,它可能会在第二行里匹配日期,这时就需要把LINE_BREAKER后面加上日期个正则表达式即可。
[case4]
#Jul 26, 2022 4:25:54 AM Event is coming.
#There is an exception...
TIME_PREFIX=^
TIME_FORMAT=%b %d, %Y %I:%M:%S %p
#这里要特别注意的是12小时制的小时用I来表示,24小时制的小时用H来表示;AM/PM用%p来表示。
LINE_BREAKER=([rn]+)w{3} d{2},
#这里同样要注意,由于多行合并为一个event,所以会在第二行也去匹配日期时就会报错,所以要在LINE_BREAKER后面加上日期的正则。
[case5]
#Date: Tue, 26 Jul 2022 17:54:25 +0800 (EDT)
#The event is coming.
TIME_PREFIX=Date:
TIME_FORMAT=%a, %d %b %Y %H:%M:%S %z (%Z)
LINE_BREAKER=([rn]+)Date
#注意这里有双重时区时的z与Z的区别
[case6]
#INFO >2022-07-14 22:54:25,346
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TIME_PREFIX=(w+s>|w+>)
[case7]
#2022-02-04 09:24:43.478
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N
TIME_PREFIX=w+s+
[case8]
#<07/16/2022 17:36:54:742
TIME_FORMAT=%m/%d/%Y %H:%M:%S:%3N
TIME_PREFIX=<
[case9]
#20220713,05345672 Event is coming.
LINE_BREAKER=([rn]+)d+
TIME_FORMAT=%Y%m%d,%H%M%S%2N
TIME_PREFIX=^
[case10]
#[2022-07-14 04:54:16,587] INFO Event is coming.
LINE_BREAKER=([rn]+)[d{4}-d{2}-d{2}s+d{2}:d{2}:d{2},d{3}]
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TIME_PREFIX=^[
[case11]
#07/13/2022 06:34:45:571 INFO Event is coming.
LINE_BREAKER=([rn]+)d{2}/d{2}/d{4}sd{2}:d{2}
TIME_FORMAT=%d/%m/%Y %H:%M:%S:%Q
TIME_PREFIX=^
[case12]
#ERROR>2022-07-24T18:43:16,567
LINE_BREAKER=([rn]+).*?>d{4}-d{2}-d{2}Td{2}:d{2}:d{2},d{3}
TIME_PREFIX=w+>
TIME_FORMAT=%Y-%m-%dT%H:%M:%S,%3N
[case13]
#11:35:54,632 DEBUG
LINE_BREAKER=([rn]+)d{2}:d{2}:d{2},d{3}sw+
[case14]
#[INFO ] 2022-07-23 12:35:54,762 [Thread 1]
LINE_BREAKER=([rn]+)([w+]|[w+s])s
TIME_FORMAT=%Y-%m-%d %H:%M:%S,%3N
TIME_PREFIX=^[.*?]s
[case15]
#23/Jul/22:34:54:653+0800 [INFO]
LINE_BREAKER=([rn]+)d{1,3}.d{1,3}.d{1,3}.d{1,3}s".*?"s
TIME_FORMAT=%d/%b/%Y:%H:%M:%S:%3N-%z
TIME_PREFIX=^d{1,3}.d{1,3}.d{1,3}.d{1,3}s".*?"s
[case16]
#"time":"2022-07-12T17:43:54.654783146Z"
TIME_PREFIX="time":"
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%9NZ
INDEXED_EXTRACTIONS=JSON
#这里要特别注意的是,需要指明index提取的方式是JSON格式
[case17]
#{"Timestamp":"2022-07-13T19:43:26.6478932+08:00"
TIME_PREFIX={"Timestamp":"
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%7N%:z
INDEXED_EXTRACTIONS=JSON
#注意这里的时区是用冒号隔开的
[case18]
#Event is coming at: [7/16/22 21:54:36:631 EDT]
TIME_PREFIX=[
TIME_FORMAT=%m/%d/%y %H:%M:%S:%3N %Z
#注意这里,年如果是只写了两位,那么就用y,如果是四位,那么就用Y
更多使用指南,参考官方文档:Resolve data quality issues - Splunk Documentation
