https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-the-event-timestamp-based-on/m-p/229042#M44556 <P>Hello, </P> <P>I don't know if it is possible get this setup. I should load into Splunk a log file with lots of events, but I am not able to set up the timestamp in the right way. In the filename, I can seen the date and in the events the time as following: </P> <UL> <LI>Filename: LOG_14-07-09_1100.TST</LI> <LI><P>Events sample: <BR /> 11000000 RSM2 MC0210 pcs013 ....<BR /> 11010500 SSM7 MC2020 pkt023 ....<BR /> 11030500 KSF3 MC4010 pkt313 ....<BR /> 11100100 TRW71 MC1010 pkt021 ....<BR /> 11122000 WRM1 MC1020 pkt013 ....<BR /> 11330200 TWM31 MC0410 pkt118 ....</P></LI> <LI><P>So, the timestamp should be: <BR /> 2014/07/09 - 11:00 AM <BR /> 2014/07/09 - 11:01 AM <BR /> 2014/07/09 - 11:03 AM <BR /> 2014/07/09 - 11:10 AM <BR /> 2014/07/09 - 11:12 AM <BR /> 2014/07/09 - 11:33 AM </P></LI> </UL> <P>Any idea if this is possible? If so, how? </P> <P>Thanks in advance,</P> Tue, 29 Sep 2020 09:35:16 GMT ofaura 2020-09-29T09:35:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-the-event-timestamp-based-on/m-p/229042#M44556 <P>Hello, </P> <P>I don't know if it is possible get this setup. I should load into Splunk a log file with lots of events, but I am not able to set up the timestamp in the right way. In the filename, I can seen the date and in the events the time as following: </P> <UL> <LI>Filename: LOG_14-07-09_1100.TST</LI> <LI><P>Events sample: <BR /> 11000000 RSM2 MC0210 pcs013 ....<BR /> 11010500 SSM7 MC2020 pkt023 ....<BR /> 11030500 KSF3 MC4010 pkt313 ....<BR /> 11100100 TRW71 MC1010 pkt021 ....<BR /> 11122000 WRM1 MC1020 pkt013 ....<BR /> 11330200 TWM31 MC0410 pkt118 ....</P></LI> <LI><P>So, the timestamp should be: <BR /> 2014/07/09 - 11:00 AM <BR /> 2014/07/09 - 11:01 AM <BR /> 2014/07/09 - 11:03 AM <BR /> 2014/07/09 - 11:10 AM <BR /> 2014/07/09 - 11:12 AM <BR /> 2014/07/09 - 11:33 AM </P></LI> </UL> <P>Any idea if this is possible? If so, how? </P> <P>Thanks in advance,</P> Tue, 29 Sep 2020 09:35:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-the-event-timestamp-based-on/m-p/229042#M44556 ofaura 2020-09-29T09:35:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-the-event-timestamp-based-on/m-p/229043#M44557 <P>Below link should give you require details to understand how the timestamp recognition works in Splunk.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/HowSplunkextractstimestamps#How_Splunk_Enterprise_assigns_timestamps">http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/HowSplunkextractstimestamps#How_Splunk_Enterprise_assigns_timestamps</A></P> <P>Basically you need the processing of point 4 from above link. An untested suggestion would to set the TIME_FORMAT to a value which is not present in the event and let Splunk identify the date from file name and time from event.</P> Mon, 02 May 2016 16:58:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-the-event-timestamp-based-on/m-p/229043#M44557 somesoni2 2016-05-02T16:58:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-the-event-timestamp-based-on/m-p/229044#M44558 <P>Thanks for your answer, but it does not work. When I defined TIME_FORMAT to a value not present then Splunk applies the file mod date and time as the timestamp. </P> <P>So, I have been working on something like: </P> <P>TIME_FORMAT = %H%M%S%2N<BR /> SHOULD_LINEMERGE = true<BR /> BREAK_ONLY_BEFORE = ^\d{8}\s<BR /> NO_BINARY_CHECK = true</P> <P>And this works with the time, Splunk identify the time but not the date, and as you said, the documentations says: </P> <P>"4. If no events in a source have a date, Splunk Enterprise tries to find a date in the source name or file name. Time of day is not identified in filenames. (This requires that the events have a time, even though they don't have a date.) " </P> <P>So, this should be working but it does not, any suggestion? </P> <P>Thanks in advance, </P> Tue, 29 Sep 2020 09:39:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-the-event-timestamp-based-on/m-p/229044#M44558 ofaura 2020-09-29T09:39:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-the-event-timestamp-based-on/m-p/229045#M44559 <P>Hello, </P> <P>I have found a workaround that it´s working fine. </P> <P>In props.conf: </P> <P>TIME_FORMAT = %H%M%S%2N<BR /> DATETIME_CONFIG = <BR /> TZ = Europe/Madrid</P> <P>And I have rename the file from LOG_14-07-09_1100.TST to LOG_20140709_1100.TST and now, Splunk takes the date from the filename and time from the events. </P> <P>Oscar </P> Tue, 29 Sep 2020 09:39:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-Splunk-to-set-the-event-timestamp-based-on/m-p/229045#M44559 ofaura 2020-09-29T09:39:59Z