topic Re: Simple Timestamp not recognized in Getting Data In

Simple Timestamp not recognized

yiguanghu — Wed, 18 Jul 2012 20:04:48 GMT

I have a xml file source as below. I use <item to signature for event and it works.
But the timestamp simply refuse to work.
I used the regex to identify the timestamp: %Y-%m-%d %HH:%MM
Any help is appreciated. Thx

It is odd enough. It recognize this. The only different is the time. But the time has exactly the same format as above.

Re: Simple Timestamp not recognized

jbsplunk — Wed, 18 Jul 2012 22:09:32 GMT

Splunk doesn't use regex to specify timestamps, it uses using strptime:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition
http://docs.python.org/library/datetime.html?highlight=strptime#strftime-behavior

You're timestamp syntax doesn't match the timestamp you've pasted from the events. The strptime is actually '%Y-%m-%d %H:%M'. Your props.conf should do something like this:

props.conf

[yourstanza]
TIME_PREFIX = .+preview_conf_time=
TIME_FORMAT = %Y-%m-%d %H:%M
MAX_TIMESTAMP_LOOKAHEAD = 16

Re: Simple Timestamp not recognized

yiguanghu — Thu, 19 Jul 2012 15:04:35 GMT

thanks for the answer. But it didn't make any difference. This is my test data. Try it. It will recognize the second item timestamp. But it does not work for '2006-01-02 09:45'. It recognize the time part, but the date is not working. Is it because the date is too old? I changed the date from 2006 to 2008, it works immediately. What am I missing?

tegory='Test-QA ' relType='DATABASE' Rel_id='1' preview_conf_time='2006-01-02 09:42' request_time='' LU='' Rolback='' preview_sent_time='' release_trigger_time='' uatECMS='NA' />

preview_sent_time='' release_trigger_time='' uatECMS='NA' />

Re: Simple Timestamp not recognized

iamtess — Wed, 30 Sep 2020 02:23:23 GMT

You may have to change the MAX_DAYS_AGO parameter as the default is 2000.