https://community.splunk.com/t5/Getting-Data-In/Index-the-timestamp-present-in-log-file/m-p/108680#M22847 <P>hello,</P> <P>I got a question regarding the field indexed by splunk when an event is received on splunk server.<BR /> I would like to index and use the timestamp present into the logs I get from multiple sources.<BR /> All those logs are stored into the default DB.</P> <P>There's 3 kind of timestamps present in the 3 diffrents logs source which look like this :</P> <UL> <LI>2012-07-25T08:07:30</LI> <LI>1343250669001 =&gt; This is epoch time</LI> <LI>Jul 23 12:09:43</LI> </UL> <P>3 eventtype has been created for each.</P> <P>Splunk is currently indexing these logs at the time it were received on the splunk server.<BR /> The purpose would be to do search on splunk from these events using the time present in the logs file.</P> <P>I tried to follow the instrctions present in this page but it doesen't seems to work, i'm pretty sure i'm doing something wrong.<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Configuretimestamprecognition">http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Configuretimestamprecognition</A></P> <P>Here's the first entry i made on the props.conf file.</P> <PRE><CODE>[EVENT_Spyware] TIME_PREFIX = (?i) .*?="(?P&lt;Spyware&gt;\d+\-\d+\-\d+\w+:\d+:\d+)\w+" TIME_FORMAT = %Y-%m-%dT%H:%M:%S TZ = Europe/Paris TRANSFORMS-Virus = Spyware </CODE></PRE> <P>Could someone help please ?<BR /> Thanks.</P> Thu, 26 Jul 2012 08:55:46 GMT rbw78 2012-07-26T08:55:46Z https://community.splunk.com/t5/Getting-Data-In/Index-the-timestamp-present-in-log-file/m-p/108680#M22847 <P>hello,</P> <P>I got a question regarding the field indexed by splunk when an event is received on splunk server.<BR /> I would like to index and use the timestamp present into the logs I get from multiple sources.<BR /> All those logs are stored into the default DB.</P> <P>There's 3 kind of timestamps present in the 3 diffrents logs source which look like this :</P> <UL> <LI>2012-07-25T08:07:30</LI> <LI>1343250669001 =&gt; This is epoch time</LI> <LI>Jul 23 12:09:43</LI> </UL> <P>3 eventtype has been created for each.</P> <P>Splunk is currently indexing these logs at the time it were received on the splunk server.<BR /> The purpose would be to do search on splunk from these events using the time present in the logs file.</P> <P>I tried to follow the instrctions present in this page but it doesen't seems to work, i'm pretty sure i'm doing something wrong.<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Configuretimestamprecognition">http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Configuretimestamprecognition</A></P> <P>Here's the first entry i made on the props.conf file.</P> <PRE><CODE>[EVENT_Spyware] TIME_PREFIX = (?i) .*?="(?P&lt;Spyware&gt;\d+\-\d+\-\d+\w+:\d+:\d+)\w+" TIME_FORMAT = %Y-%m-%dT%H:%M:%S TZ = Europe/Paris TRANSFORMS-Virus = Spyware </CODE></PRE> <P>Could someone help please ?<BR /> Thanks.</P> Thu, 26 Jul 2012 08:55:46 GMT https://community.splunk.com/t5/Getting-Data-In/Index-the-timestamp-present-in-log-file/m-p/108680#M22847 rbw78 2012-07-26T08:55:46Z https://community.splunk.com/t5/Getting-Data-In/Index-the-timestamp-present-in-log-file/m-p/108681#M22848 <P>Is <CODE>EVENT_Spyware</CODE> the <CODE>sourcetype</CODE> of the data? Can you update your question with a sample event?</P> Thu, 26 Jul 2012 12:22:55 GMT https://community.splunk.com/t5/Getting-Data-In/Index-the-timestamp-present-in-log-file/m-p/108681#M22848 dwaddle 2012-07-26T12:22:55Z