topic Re: Need help to get Timestamp correctly in Getting Data In

Need help to get Timestamp correctly

lakromani — Tue, 17 Jun 2014 16:05:20 GMT

I have data in the following format (Serv-U ftp log)

[5] Sun 01Jun08 00:24:04 - (000555) Connected to 76.76.76.76 (Local address 10.11.12.13)

I need help to get Splunk to get time correctly out of this.

Time is in this format (I think)

%d%b%y %T

So how to do it?

Automatically locate timestamp (default)

or
Timestamp is always prefaced by a pattern

I tried Auto and entered the date format in format field. It then complain about prefix?

If I select "Timestamp is always prefaced..." what then to fill in the filed?

Thanks

Re: Need help to get Timestamp correctly

jeremiahc4 — Tue, 17 Jun 2014 16:16:48 GMT

Is your timestamp always prefaced by the pattern above "[5] Sun "? (Assuming the number and the 3-char weekday changes).

If so, you could enter a prefaced regex such as "\[\d\]\s\w{3}\s" (not sure if escape needed on brackets or not)

Re: Need help to get Timestamp correctly

lakromani — Tue, 17 Jun 2014 18:06:05 GMT

Thanks, works perfect. I do added "regex" to the Timestamp field and "date format" in format field

Re: Need help to get Timestamp correctly

hortonew — Wed, 08 Oct 2014 15:17:42 GMT

I'm a little late, but I just dealt with this yesterday. This is what was in my props.conf on my indexers for the servu_logs sourcetype:

[servu_logs]

SHOULD_LINEMERGE = false

LINE_BREAKER = ([\r\n]+)

TIME_PREFIX = [[\d]+]\s[\w]+\s

TIME_FORMAT = %d%b%y %H:%M:%S

Re: Need help to get Timestamp correctly

nitrogaute — Tue, 28 Oct 2014 10:58:44 GMT

I have a similar problem:

BREAK_ONLY_BEFORE=\d{7}
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
TIME_FORMAT=%3N
TIME_PREFIX=\d{7}

Trying to parse out the millisecond timestamp from this log file, 9281736 :

  9281736 : COUNT IN 1003
Tx:   01 04 00 71 00 02 21 d0                              ...q..!.
Rx:   01 04 04 00 08 0a 28 7c f8    
  9282136 : COUNT IN 1003
Tx:   01 04 00 c9 00 02 a1 f5                              ........
Rx:   01 04 04 00 08 00 00 7a 46

I suspect my TIME_FORMAT is wrong, because it breakes up events correctly.
Get the error of:

Could not use strptime to parse timestamp from ": COUNT 1003\n ......
Make sure a prefix pattern is
specified if the events don`t begin
with a timestamp.

Failed to parse timestamp. Defaulting to file modtime.

Any suggestion would be much appreciated!

Re: Need help to get Timestamp correctly

ppablo — Thu, 30 Oct 2014 01:32:46 GMT

Hi @nitrogaute

Using the answer space on a post isn't really the best (or appropriate) way to find a solution to an issue you're having on this site. Can you please post this as a separate question?