topic Re: Can I have different timestamp formats using the same sourcetype? in Getting Data In

Can I have different timestamp formats using the same sourcetype?

rune_hellem — Tue, 29 Jul 2014 09:26:15 GMT

Indexing a lot of SystemOut.log files from WebSphere I realize that all almost all log files uses the following time format

TIME_FORMAT = %m/%d/%y %H:%M:%S%3N %Z

But on some old servers the format is

TIME_FORMAT = %d/%m/%y %H:%M:%S%3N %Z

Is it possible for to use two formats for the same sourcetype? Or as an alternative can I create a "child sourcetype" with no other changes than the time_format?

Re: Can I have different timestamp formats using the same sourcetype?

tom_frotscher — Tue, 29 Jul 2014 09:32:52 GMT

I don't know if this works in your usecase. But you should be able to use a custom datetime.xml to solve this. Take a look at this: http://answers.splunk.com/answers/1807/2-different-timestamps-in-single-log

Re: Can I have different timestamp formats using the same sourcetype?

strive — Tue, 29 Jul 2014 09:47:12 GMT

Yes it is possible by having your app specific datetime.xml

See this
http://answers.splunk.com/answers/11173/how-to-extact-multiple-timestamp-formats-for-syslog-input

Also, there is another website where they have some examples

http://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem

Re: Can I have different timestamp formats using the same sourcetype?

rune_hellem — Fri, 01 Aug 2014 08:51:28 GMT

For Windows users, worth noticing how to correctly define path to custom datetime.xml escaping backslashes. Took some time before I figured that one out (use double backslashes, it does not show here)

DATETIME_CONFIG = \\etc\\apps\\myapp\\local\\datetime.xml