https://community.splunk.com/t5/Getting-Data-In/Time-stamp-extraction-not-working/m-p/104237#M21944 <P>I used configuration like </P> <P><DEFINE name="_smcombdatetime" extract="day,litmonth,year,hour,minute,second,subsecond"></DEFINE></P> <PRE><CODE> &lt;text&gt;&lt;![CDATA[(?&lt;![\d\.])([012]\d|3[01])(JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(20\d\d|19\d\d|[901]\d(?!\d))\s\w+\s([01]\d|2[0123])\:([0-6]\d)\:([0-6]\d)]]&gt;\s*&lt;/text&gt; &lt;/define&gt; </CODE></PRE> <P>In data preview it seems to work..but when i configure to read data from files, no data is getting indexed</P> Fri, 18 Oct 2013 09:25:57 GMT adityapavan18 2013-10-18T09:25:57Z https://community.splunk.com/t5/Getting-Data-In/Time-stamp-extraction-not-working/m-p/104233#M21940 <P>I have events which start like </P> <P><STRONG>16OCT13</STRONG> AAAB <STRONG>12:59:00</STRONG> JAJAS DKDJD KDD</P> <P><STRONG>16OCT13</STRONG> AABB <STRONG>13:00:00</STRONG> AJAJA AKAJK AKA</P> <P>But i am not able to extract that particular timestamp for events</P> <P>In my props.conf i used:</P> <BLOCKQUOTE> <P>SHOULD_LINEMERGE=false</P> <P>TIME_PREFIX=^</P> <P>TIME_FORMAT=%d%b%y [A-Z]{4} %H:%M:%S</P> </BLOCKQUOTE> <P>But doesn't seem to work. Please tell me what i am doing wrong?</P> Thu, 17 Oct 2013 14:51:31 GMT https://community.splunk.com/t5/Getting-Data-In/Time-stamp-extraction-not-working/m-p/104233#M21940 adityapavan18 2013-10-17T14:51:31Z https://community.splunk.com/t5/Getting-Data-In/Time-stamp-extraction-not-working/m-p/104234#M21941 <P><CODE>TIME_FORMAT</CODE> does not accept regexes, only strptime style format</P> <P>In your case you'd need put the literal <CODE>AABB</CODE> string in <CODE>TIME_FORMAT=%d%b%y AABB %H:%M:%S</CODE>.</P> <P>Else, if the string is not known in advance, you'd probably need a custom datetime.xml </P> Thu, 17 Oct 2013 17:39:24 GMT https://community.splunk.com/t5/Getting-Data-In/Time-stamp-extraction-not-working/m-p/104234#M21941 _d_ 2013-10-17T17:39:24Z https://community.splunk.com/t5/Getting-Data-In/Time-stamp-extraction-not-working/m-p/104235#M21942 <P>oh ok ...is there any documentation on making changes in datetime.xml</P> Fri, 18 Oct 2013 07:17:11 GMT https://community.splunk.com/t5/Getting-Data-In/Time-stamp-extraction-not-working/m-p/104235#M21942 adityapavan18 2013-10-18T07:17:11Z https://community.splunk.com/t5/Getting-Data-In/Time-stamp-extraction-not-working/m-p/104236#M21943 <P><A href="http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/">http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/</A></P> Fri, 18 Oct 2013 07:25:49 GMT https://community.splunk.com/t5/Getting-Data-In/Time-stamp-extraction-not-working/m-p/104236#M21943 kristian_kolb 2013-10-18T07:25:49Z https://community.splunk.com/t5/Getting-Data-In/Time-stamp-extraction-not-working/m-p/104237#M21944 <P>I used configuration like </P> <P><DEFINE name="_smcombdatetime" extract="day,litmonth,year,hour,minute,second,subsecond"></DEFINE></P> <PRE><CODE> &lt;text&gt;&lt;![CDATA[(?&lt;![\d\.])([012]\d|3[01])(JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)(20\d\d|19\d\d|[901]\d(?!\d))\s\w+\s([01]\d|2[0123])\:([0-6]\d)\:([0-6]\d)]]&gt;\s*&lt;/text&gt; &lt;/define&gt; </CODE></PRE> <P>In data preview it seems to work..but when i configure to read data from files, no data is getting indexed</P> Fri, 18 Oct 2013 09:25:57 GMT https://community.splunk.com/t5/Getting-Data-In/Time-stamp-extraction-not-working/m-p/104237#M21944 adityapavan18 2013-10-18T09:25:57Z