topic Re: Unable to capture correct timestamp? in Getting Data In

Unable to capture correct timestamp?

remy06 — Wed, 04 Aug 2010 11:13:04 GMT

hi,

I'm trying to configure splunk to display the time based on the event.

The event's timestamp format is something like this:
EXTENDED_TIMESTAMP="04-AUG-10 12.10.43.720287 AM +08:00"

I've configured props.conf with this:
[myevent]
TIME_PREFIX = EXTENDED_TIMESTAMP="
TIME_FORMAT = %d-%b-%y %I.%M.%S.%q %p
SHOULD_LINEMERGE = true

However,splunk occasionally display the wrong time as it translate AM as PM which is wrong.

Is there anything wrong with the config?

stephanbuys — Wed, 04 Aug 2010 14:50:54 GMT

Hi Remy06,

Please try TIME_FORMAT = %d-%b-%y %I.%M.%S.%6N %p

I think it might be the difference between nano and milliseconds that's tripping it up.

remy06 — Fri, 20 Aug 2010 09:22:14 GMT

Hi,

Seems to have problems with it now.It's been working fine for the past few days..

Sample of the event: ......,EXTENDED_TIMESTAMP="20/08/10 12:59:21.994681 AM +08:00"....

props.conf
[myevent]
TIME_PREFIX = EXTENDED_TIMESTAMP="
TIME_FORMAT = %d/%m/%y %I:%M:%S.%6N %p
SHOULD_LINEMERGE = true

This morning I've noticed the dates are specified in splunk as:
10/12/08
12:59:21.994 AM

Any idea?