https://community.splunk.com/t5/Splunk-Enterprise/Help-me-with-Time-formt-and-time-prefix/m-p/558910#M6356 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234513">@shreya17</a>&nbsp; Great job!</P><P>I tested these and they seem correct.</P><P>A couple of settings I like to add</P><UL><LI>MAX_TIMESTAMP_LOOKAHEAD .. make it be the total number of characters in the time including timezone etc</LI><LI>SHOULD_LINEMERGE=false</LI><LI>LINE_BREAKER=([\r\n]+)..&nbsp; &nbsp; &nbsp;This one you put the regular expression that matches the beginning of an event. That way if there's some garbage lines they won't be treated as single events (if you want that) e.g. for 2 of your events it would be&nbsp;LINE_BREAKER=([\r\n]+<SPAN>\####&lt;</SPAN></LI><LI>TRUNCATE=9999 or whatever you want. The maximum line length you will accept<BR /><BR /><BR /></LI></UL> Fri, 09 Jul 2021 20:53:54 GMT burwell 2021-07-09T20:53:54Z https://community.splunk.com/t5/Splunk-Enterprise/Help-me-with-Time-formt-and-time-prefix/m-p/558613#M6335 <P>I need help to write time format and time prefix for below&nbsp; timelogs. Please note these are seperate logs, hence need different timeformat and timeprefix for all three. Help will be appreciated, Thanks in advance!</P><P>####&lt;30/06/2021 11:13:08,975 PM AEST&gt;</P><P>####&lt;Jul 3, 2021 4:25:41,233 PM AEST&gt;</P><P>[2021-07-06T23:59:58.849+10:00]</P><P>&nbsp;</P><P>Trying to get this added in props.conf file in below format, need assistance with timeformat and timeprefix</P><P>DATETIME_CONFIG =<BR />NO_BINARY_CHECK = true<BR />TZ = Australia/Sydney<BR />TIME_FORMAT =&nbsp;<BR />TIME_PREFIX =</P> Wed, 07 Jul 2021 18:58:50 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-me-with-Time-formt-and-time-prefix/m-p/558613#M6335 shreya17 2021-07-07T18:58:50Z https://community.splunk.com/t5/Splunk-Enterprise/Help-me-with-Time-formt-and-time-prefix/m-p/558614#M6336 <P>Hi. Instead of us just providing you with the answer, do you want to take a crack at the timestamp settings?</P><P>Here are documented examples on the date/time format settings:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition#Examples" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition#Examples</A></P><P>I also came across this handy video that shows you how to interact with Splunk and test these settings.</P><P>&nbsp;<A href="https://www.youtube.com/watch?v=Q5EWCT79nZ4" target="_blank">https://www.youtube.com/watch?v=Q5EWCT79nZ4</A></P><P>Give the settings a try and let us know what works/doesn't work or that you have questions about. Thanks!</P> Wed, 07 Jul 2021 19:40:57 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-me-with-Time-formt-and-time-prefix/m-p/558614#M6336 burwell 2021-07-07T19:40:57Z https://community.splunk.com/t5/Splunk-Enterprise/Help-me-with-Time-formt-and-time-prefix/m-p/558713#M6346 <P>Hey&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/155648">@burwell</a>&nbsp; I did give a try. Let me know if this is good.</P><P>####&lt;30/06/2021 11:13:08,975 PM AEST&gt;</P><P>DATETIME_CONFIG =<BR />NO_BINARY_CHECK = true<BR />TZ = Australia/Sydney<BR />TIME_FORMAT = %d/%m/%Y %I:%M:%S,%3N %p<BR />TIME_PREFIX = \####&lt;</P><P>&nbsp;</P><P>####&lt;Jul 3, 2021 4:25:41,233 PM AEST&gt;</P><P>DATETIME_CONFIG =<BR />NO_BINARY_CHECK = true<BR />TZ = Australia/Sydney<BR />TIME_FORMAT = %b %d, %Y %I:%M:%S,%3N %p<BR />TIME_PREFIX = \####&lt;</P><P>&nbsp;</P><P>[2021-07-06T23:59:58.849+10:00]&nbsp; --&nbsp;(not sure of this one)</P><P>DATETIME_CONFIG =<BR />NO_BINARY_CHECK = true<BR />TZ = Australia/Sydney<BR />TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N&nbsp;&nbsp;<BR />TIME_PREFIX = \[</P> Thu, 08 Jul 2021 15:12:17 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-me-with-Time-formt-and-time-prefix/m-p/558713#M6346 shreya17 2021-07-08T15:12:17Z https://community.splunk.com/t5/Splunk-Enterprise/Help-me-with-Time-formt-and-time-prefix/m-p/558910#M6356 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234513">@shreya17</a>&nbsp; Great job!</P><P>I tested these and they seem correct.</P><P>A couple of settings I like to add</P><UL><LI>MAX_TIMESTAMP_LOOKAHEAD .. make it be the total number of characters in the time including timezone etc</LI><LI>SHOULD_LINEMERGE=false</LI><LI>LINE_BREAKER=([\r\n]+)..&nbsp; &nbsp; &nbsp;This one you put the regular expression that matches the beginning of an event. That way if there's some garbage lines they won't be treated as single events (if you want that) e.g. for 2 of your events it would be&nbsp;LINE_BREAKER=([\r\n]+<SPAN>\####&lt;</SPAN></LI><LI>TRUNCATE=9999 or whatever you want. The maximum line length you will accept<BR /><BR /><BR /></LI></UL> Fri, 09 Jul 2021 20:53:54 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-me-with-Time-formt-and-time-prefix/m-p/558910#M6356 burwell 2021-07-09T20:53:54Z