topic Re: Correct TIME_FORMAT for the following timestamp? in Getting Data In

Correct TIME_FORMAT for the following timestamp?

infomedix — Mon, 28 Sep 2020 12:35:02 GMT

Hello,
I'm having trouble extracting the following timestamp for one source, is there someone here that can recommend what values to put into the $SPLUNK_HOME/etc/system/default/local file under the TIME_FORMAT attribute?

Mon Oct 8 12:15:10 EST 2012:

That is currently being indexed as 10/9/12 4:15:10.000 AM when it should be 8/10/12 12:15:10 AM.

Thank you

Re: Correct TIME_FORMAT for the following timestamp?

Ayn — Mon, 08 Oct 2012 04:48:06 GMT

%a %b %e %H:%M:%S %Z %Y

Re: Correct TIME_FORMAT for the following timestamp?

infomedix — Mon, 08 Oct 2012 05:08:56 GMT

Thanks Ayn, perhaps you can help me further, I placed the following in /opt/splunk/etc/system/local/props.conf:

[source::/directory/structure/logfile.log]

TIME_FORMAT = %a %b %e %H:%M:%S %Z %Y

Then restarted the service and fed more data into the log however it is still not recognising the timestamp. Is there something which I am doing wrong that you can see?

Re: Correct TIME_FORMAT for the following timestamp?

Ayn — Mon, 08 Oct 2012 05:23:49 GMT

Are you looking for timestamps in new events or old ones? Events that have already been indexed will not be affected by this change, because they already have their timestamp set.

Otherwise check splunkd.log for messages related to strptime time extraction, to see what error it is throwing. You MIGHT need to include an extra ":" at the end in your TIME_FORMAT.

Re: Correct TIME_FORMAT for the following timestamp?

infomedix — Mon, 08 Oct 2012 06:08:37 GMT

I am looking at the newer ones, I fed new data into it after making the changes and restarting the service.

My gut feeling is that the props file is not being called...

Re: Correct TIME_FORMAT for the following timestamp?

infomedix — Tue, 09 Oct 2012 22:34:24 GMT

I am still unsuccessful in configuring this, can anybody see anything that I am missing?