Hi Splunkers, I have some troubles to extract the field as a date. Please help me.
I have logs like below.
20130624090015008SOMEWORDS_A20130624090016009SOMEWORDS_B
20130624090017001SOMEWORDS_C20130624090018003SOMEWORDS_D
etc....
These mean,
yyyymmddHHMMSS(milisecond) SOMEWORDS_A yyyymmddHHMMSS(milisecond) SOMEWORDS_B
One record has two dates(timeformat). Without spliting to two events, I want to recognize these fields as a date. Now I configure props.conf file,
<props.conf>
[some]
EXTRACT-First_Time = (?P<First_Time>^[0-9]{14}).+
EXTRACT-Last_Time = ^.{22}(?P<Last_Time>^[0-9]{14}).+
and I search this field in search apps
First_Time="20130624090015"
→ But "No matching events found. Inspect ..." was displayed.
I also search as following.
First_Time="20130624090015*"
→ I got an objective event.
Why does this happen ? And I'm happy to listen to the way of recognizing the field as date other than timestamp.
Thank you.