https://community.splunk.com/t5/Getting-Data-In/AM-PM-being-ignored-by-TIME-FORMAT-in-props-conf/m-p/69371#M14055 <P>Hi,</P> <P>Two things that MAY improve the situation: </P> <P>a) Set the <CODE>TIME_PREFIX = ^\d+,</CODE></P> <P>b) Set the <CODE>MAX_TIMESTAMP_LOOKAHEAD=18</CODE></P> <P>I have seen (on strftime.net) that <CODE>%l</CODE> (lowercase L) should be the 12-hour format without leading zeroes. Other sources claim that <CODE>%I</CODE> allows optional leading zeroes. Unfortunately I haven't found a definite list of the supported strftime/strptime formatting that Splunk accepts/recognizes.</P> <P>Also, on a side note, I don't think you need the filter for the parsing queue, since that is the default. You only need to filter out the header row to the null queue.</P> <P>Hope this helps,</P> <P>Kristian</P> Tue, 25 Sep 2012 08:13:55 GMT kristian_kolb 2012-09-25T08:13:55Z https://community.splunk.com/t5/Getting-Data-In/AM-PM-being-ignored-by-TIME-FORMAT-in-props-conf/m-p/69370#M14054 <P>Hi All,</P> <P>Having an issue importing the following data.</P> <PRE><CODE>UID, In Date, Update Time, Vol, Corr Vol 453,May 1 2012 6:00AM,May 2 2012 3:24PM,133,223.000000000 453,May 1 2012 7:00AM,May 2 2012 3:24PM,104,175.000000000 453,May 1 2012 8:00AM,May 2 2012 3:24PM,90,152.000000000 </CODE></PRE> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[Flow] KV_MODE = none SHOULD_LINEMERGE = false TIME_FORMAT = %b %d %Y %I:%M%p TRANSFORMS-filterprices = filterFlowData, filterFlowHeaderRow REPORT-extracts = FlowDataCsvExtract </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[filterFlowHeaderRow] REGEX = ^UID(.*) DEST_KEY = queue FORMAT = nullQueue [filterFlowData] REGEX = (.*) DEST_KEY = queue FORMAT = indexQueue [FlowDataCsvExtract] DELIMS = "," FIELDS = "UID", "In Date", "Update Time", "Vol", "Corr Vol" </CODE></PRE> <P>It appears Splunk is retrieving the first time but completely ignoring the AM PM even though I am specifying it with the %p argument.</P> <P>Anyone have any clues how to persuade Splunk to not stop parsing the date too soon?</P> Tue, 25 Sep 2012 05:06:56 GMT https://community.splunk.com/t5/Getting-Data-In/AM-PM-being-ignored-by-TIME-FORMAT-in-props-conf/m-p/69370#M14054 phoenixdigital 2012-09-25T05:06:56Z https://community.splunk.com/t5/Getting-Data-In/AM-PM-being-ignored-by-TIME-FORMAT-in-props-conf/m-p/69371#M14055 <P>Hi,</P> <P>Two things that MAY improve the situation: </P> <P>a) Set the <CODE>TIME_PREFIX = ^\d+,</CODE></P> <P>b) Set the <CODE>MAX_TIMESTAMP_LOOKAHEAD=18</CODE></P> <P>I have seen (on strftime.net) that <CODE>%l</CODE> (lowercase L) should be the 12-hour format without leading zeroes. Other sources claim that <CODE>%I</CODE> allows optional leading zeroes. Unfortunately I haven't found a definite list of the supported strftime/strptime formatting that Splunk accepts/recognizes.</P> <P>Also, on a side note, I don't think you need the filter for the parsing queue, since that is the default. You only need to filter out the header row to the null queue.</P> <P>Hope this helps,</P> <P>Kristian</P> Tue, 25 Sep 2012 08:13:55 GMT https://community.splunk.com/t5/Getting-Data-In/AM-PM-being-ignored-by-TIME-FORMAT-in-props-conf/m-p/69371#M14055 kristian_kolb 2012-09-25T08:13:55Z https://community.splunk.com/t5/Getting-Data-In/AM-PM-being-ignored-by-TIME-FORMAT-in-props-conf/m-p/69372#M14056 <P>Thanks for the tip it seems the TIME_PREFIX did the trick and its picking up the AM PM now.</P> <P>I tested both %I and %l (lowercase L) and both behaved in the same manner.</P> <P>Good to know about the filter as well. Nothing better than simplifying things.</P> <P>Thanks again</P> Tue, 25 Sep 2012 20:30:55 GMT https://community.splunk.com/t5/Getting-Data-In/AM-PM-being-ignored-by-TIME-FORMAT-in-props-conf/m-p/69372#M14056 phoenixdigital 2012-09-25T20:30:55Z