topic Re: Indexer not parsing 12 hour timestamp format in Getting Data In

Indexer not parsing 12 hour timestamp format

parth_jec — Thu, 12 Jul 2012 18:58:07 GMT

Hi,

I am using Universal forwarder (splunkforwarder-4.3.2-123586-x64-release) to forward multiple logs to the indexer (version 4.2.4, build 110225 ). For a particular log, I cannot see the logs indexed after 12:59 every day. For this log the timestamp format is a 12 hour format, Ex: 2012-07-12 01:00:16. However, all the other logs are forwarded properly from the same frowarder and they are using timestamp of 24 hour format, Ex: 2012-07-12 13:05:56.

How can I fix this?

Thanks,

Re: Indexer not parsing 12 hour timestamp format

jbsplunk — Thu, 12 Jul 2012 19:55:00 GMT

It sounds like you need to configure time format explicitly. If you did an all time,real time search for the source in question, I am guessing you'd continue to see data, but it would be timestamped incorrectly.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

Use the TIME_FORMAT attribute in props.conf to configure timestamp parsing. This attribute takes a strptime() format string, which it uses to extract the timestamp.

Splunk implements an enhanced version of Unix strptime() that supports additional formats, allowing for microsecond, millisecond, any time width format, and some additional time formats for compatibility. The additional formats are listed in this table: 

%I  For hours on a 12-hour clock format. If %I appears after %S or %s (like "%H:%M:%S.%l"), it takes on the log4cpp meaning of milliseconds.

Re: Indexer not parsing 12 hour timestamp format

parth_jec — Mon, 28 Sep 2020 12:04:34 GMT

I followed the link and created a props.conf in the local directory.

-props.conf-
[source::]
TIME_PREFIX = INFO
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%I

The log file event are like:
INFO 2012-06-25 04:11:00 – ToAdmin.....

I have added one blank space after INFO in the TIME_PREFIX but still can't see the logs.

Which logs can I look for in the splunk to debug this?
Can I use multiple prefixes separated by '|' something like TIME_PREFIX= INFO |WARN etc?
Can you pls explain what log4cpp is and how would it impact the timestamp parsing?

Re: Indexer not parsing 12 hour timestamp format

jbsplunk — Fri, 13 Jul 2012 15:29:41 GMT

What are your search time constraints? If you do an all time, real time search for the source of these events, do you see any data?

Re: Indexer not parsing 12 hour timestamp format

parth_jec — Wed, 18 Jul 2012 13:05:23 GMT

Figured out the problem, the timestamp format in the log file was incorrect (It didn't had AM/PM). Chnaged the timestamp format to 24 hours and it works fine now.

Thanks,