topic Re: TimeStamp translation in Getting Data In

TimeStamp translation

bc_unixadm — Tue, 27 Jul 2010 00:28:41 GMT

I have a date and time timestamp that looks like DATABASE|20100226|123918|20100226|083918| and I want to extract the date and second time stamp (local not GMT). I have figured out that the changes would be to the props.conf, I am having trouble getting the correct format to get the date/time in the database correctly as this is the time of the event.

Any suggestions?

thanks

Re: TimeStamp translation

rroberts — Tue, 27 Jul 2010 00:45:41 GMT

When you say you have figured out the changes would be in props.conf are you using TIME_PREFIX and TIME_FORMAT attributes? see example below.

Example: web proxy log
10.100.2.3, jdoe, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1), -, 9/17/2009, 9:01:00, -, hostname, props.conf

Specify what Splunk recognizes as a timestamp. Extract Date and Time at 4th and 5th comma delimited

TIME_PREFIX = ^(?:[^\,]+,){4}\s* # will find 9/17/2009 and 0:00:00 after 4th comma

Format time as month/day/year, hour:min:second

TIME_FORMAT = %m/%d/%Y, %H:%M:%S

Re: TimeStamp translation

bc_unixadm — Tue, 27 Jul 2010 00:58:41 GMT

Sorry, when I said that the changes go to the props.conf, from what I read that is where I should put in the code to get the information from the log. I am not 100% sure of that as I have not made many changes from the default collection that splunk does. If that is not what needs to be changed, please point me in the correct direction. The date/time format in my example is 20100226|083918 and I want that to show up as the event time of month/day/year and the time 083918 show up date 8:39:18 AM.

Re: TimeStamp translation

Genti — Tue, 05 Oct 2010 13:08:23 GMT

More precisely, in your case you want a props.conf that looks like this:

<spec>
TIME_PREFIX = ^\w+\|\d+\|\d+\|
TIME_FORMAT = %Y%m%d|%H%M%S

Check this doc page for more information on timestamp recognition