https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/88002#M18259 <P>Thanks! I will move the props.conf to our Heavy Forwarder.</P> Thu, 06 Oct 2011 20:41:49 GMT Greg_LeBlanc 2011-10-06T20:41:49Z https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87990#M18247 <P>I am having a difficult time extracting the correct timestamp from a specific log.</P> <P>As you can see below, the beginning of the log entry there are two timestamps back to back. </P> <PRE><CODE>2851,10/06/2011,18:59:29,10/06/2011,14:59:29,1011, </CODE></PRE> <P>Here is my props.conf</P> <PRE><CODE> [sourcetype] MAX_TIMESTAMP_LOOKAHEAD = 20 TZ = America/New_York TIME_PREFIX = \d{4},\d{2}/\d{2}/\d{4},\d{2}\:\d{2}\:\d{2}, </CODE></PRE> <P>The first timestamp is still being extracted. See anything wrong here?</P> <P><STRONG>EDIT:</STRONG> Can I perform these actions on a Universal Forwarder? Now that I think about it, I can't. Only a Heavy forwarder, correct?</P> <P><STRONG>EDIT:</STRONG> Looks like this was my fault. I had been trying this on a Universal Forwarder - I moved this to my Heavy Forwarder and it works! Thanks.</P> Thu, 06 Oct 2011 19:07:45 GMT https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87990#M18247 Greg_LeBlanc 2011-10-06T19:07:45Z https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87991#M18248 <P>As far as I can see your MAX_TIMESTAMP_LOOKAHEAD = 20 only gets you as far as "9:29,10/06/2011,14:59:29,1011,"</P> <P>Try changing your MAX_TIMESTAMP_LOOKAHEAD=25.</P> Mon, 28 Sep 2020 09:57:18 GMT https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87991#M18248 jdunlea_splunk 2020-09-28T09:57:18Z https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87992#M18249 <P>Your TIME_PREFIX looks okay in my estimation. It also looks like your MAX_TIMESTAMP_LOOKAHEAD is correct. If that isn't working, I would suggest you try specifying TIME_FORMAT as well. This needs to be done where the data is parsed, so on the Heavy Forwarder, or on the indexer which the forwarder is sending, presuming a forwarder is part of the picture. </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition</A></P> <P>I think that this should be the correct format:</P> <PRE><CODE>TIME_FORMAT = %m/%d/%Y,%H:%M:%S </CODE></PRE> Mon, 28 Sep 2020 09:57:21 GMT https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87992#M18249 jbsplunk 2020-09-28T09:57:21Z https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87993#M18250 <P>Oops i got confused on this! Indeed your MAX_TIMESTAMP_LOOKAHEAD is correct.</P> Mon, 28 Sep 2020 09:57:24 GMT https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87993#M18250 jdunlea_splunk 2020-09-28T09:57:24Z https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87994#M18251 <P>This is actually not correct. Using TIME_PREFIX tells splunk what precedes the timestamp. When MAX_TIMESTAMP_LOOKAHEAD is used in conjunction with TIME_PREFIX, you are telling splunk to look ahead as many characters as you've specified after matching the regex in TIME_PREFIX. In this case, it would start at the second timestamp and look 20 characters ahead, means it should see '10/06/2011,14:59:29' as the timestamp.</P> Mon, 28 Sep 2020 09:57:27 GMT https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87994#M18251 jbsplunk 2020-09-28T09:57:27Z https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87995#M18252 <P>Thanks for the answer, I tried this and no luck!</P> Thu, 06 Oct 2011 19:56:51 GMT https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87995#M18252 Greg_LeBlanc 2011-10-06T19:56:51Z https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87996#M18253 <P>Your %Y needs capitalized to match the 4 digit year.</P> Thu, 06 Oct 2011 20:02:42 GMT https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87996#M18253 alacercogitatus 2011-10-06T20:02:42Z https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87997#M18254 <P>corrected. thanks!</P> Thu, 06 Oct 2011 20:08:22 GMT https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87997#M18254 jbsplunk 2011-10-06T20:08:22Z https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87998#M18255 <P>Yep, only on an install that supports indexing (which light and universal disable). <A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwardercapabilities">http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwardercapabilities</A></P> Thu, 06 Oct 2011 20:21:21 GMT https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87998#M18255 alacercogitatus 2011-10-06T20:21:21Z https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87999#M18256 <P>I've never really used the TIME_PREFIX, however from what I'm reading, the parser will try and find the TIME_PREFIX pattern first (which should match <STRONG>2851,10/06/2011,18:59:29,</STRONG>) and then look the next 20 characters (from MAX_TIMESTAMP_LOOKAHEAD), which should then match <STRONG>10/06/2011,14:59:29,</STRONG> which includes the comma. And since there is a comma, its not a "true" timestamp, as you will only have either a date or a time in the string. So it is never actually finding the second timestamp. There is also no need to escape the colons.</P> <P>Try this: </P> <BLOCKQUOTE> <P><CODE>TIME_FORMAT = %m/%d/%Y,%H:%M:%S</CODE></P> <P><CODE>TIME_PREFIX = \d{4},\d{2}/\d{2}/\d{4},\d{2}:\d{2}:\d{2},</CODE></P> </BLOCKQUOTE> <P>More <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition">details here</A></P> Thu, 06 Oct 2011 20:21:22 GMT https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/87999#M18256 alacercogitatus 2011-10-06T20:21:22Z https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/88000#M18257 <P>The extra character in MAX_TIMESTAMP_LOOKAHEAD shouldn't stop this from working. In fact, sometimes to be safe I'll intentionally add an extra digit if there things like a space or comma. I haven't noticed any strange behavior because of this, but the approach mentioned here is a valid.</P> Mon, 28 Sep 2020 09:57:29 GMT https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/88000#M18257 jbsplunk 2020-09-28T09:57:29Z https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/88001#M18258 <P>I guess I was a little unclear on which comma. I meant the one in the middle of the date and time, not the one on the end.</P> <P>10/06/2011*<EM>,</EM>*14:59:29,</P> Mon, 28 Sep 2020 09:57:32 GMT https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/88001#M18258 alacercogitatus 2020-09-28T09:57:32Z https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/88002#M18259 <P>Thanks! I will move the props.conf to our Heavy Forwarder.</P> Thu, 06 Oct 2011 20:41:49 GMT https://community.splunk.com/t5/Getting-Data-In/Another-timestamp-question/m-p/88002#M18259 Greg_LeBlanc 2011-10-06T20:41:49Z