https://community.splunk.com/t5/Getting-Data-In/Time-stamp-stanza/m-p/233412#M45530 <P>I want to make sure i understand this, i have logs that splunk can not find the time stamp on. and some are missing. </P> <P>for the logs that have the time in them i would juse use this in props.conf on the Heavy forwaders correct? </P> <P>[source_type]<BR /> TIME_PREFIX = \d\d\/\w\w\w\/\d\d\d\d:\d\d:\d\d:\d\d<BR /> TIME_FORMAT = %d/%b/%Y%::z</P> <P>log looks like this:</P> <PRE><CODE>--ab50cd40-A-- [25/Sep/2016:04:08:52 --0400] BLAH BLAHBLAH BLAHBLAH BLAHBLAH BLAH BLAH BLAHBLAH BLAHBLAH BLAH BLAH BLAHBLAH BLAHBLAH BLAH </CODE></PRE> <P>For the logs that do not have a time stamp, how to i set them to use indexed time for the time stamp? </P> <PRE><CODE>--ab50cd30-A-- BLAH BLAHBLAH BLAHBLAH BLAHBLAH BLAH BLAH BLAHBLAH BLAHBLAH BLAH BLAH BLAHBLAH BLAHBLAH BLAH --ac50ad30-H-- BLAH BLAHBLAH BLAHBLAH BLAHBLAH BLAH BLAH BLAHBLAH BLAHBLAH BLAH BLAH BLAHBLAH BLAHBLAH BLAH --090e4955-A-- BLAH BLAHBLAH BLAHBLAH BLAHBLAH BLAH BLAH BLAHBLAH BLAHBLAH BLAH BLAH BLAHBLAH BLAHBLAH BLAH </CODE></PRE> Tue, 29 Sep 2020 11:17:57 GMT sbattista09 2020-09-29T11:17:57Z https://community.splunk.com/t5/Getting-Data-In/Time-stamp-stanza/m-p/233412#M45530 <P>I want to make sure i understand this, i have logs that splunk can not find the time stamp on. and some are missing. </P> <P>for the logs that have the time in them i would juse use this in props.conf on the Heavy forwaders correct? </P> <P>[source_type]<BR /> TIME_PREFIX = \d\d\/\w\w\w\/\d\d\d\d:\d\d:\d\d:\d\d<BR /> TIME_FORMAT = %d/%b/%Y%::z</P> <P>log looks like this:</P> <PRE><CODE>--ab50cd40-A-- [25/Sep/2016:04:08:52 --0400] BLAH BLAHBLAH BLAHBLAH BLAHBLAH BLAH BLAH BLAHBLAH BLAHBLAH BLAH BLAH BLAHBLAH BLAHBLAH BLAH </CODE></PRE> <P>For the logs that do not have a time stamp, how to i set them to use indexed time for the time stamp? </P> <PRE><CODE>--ab50cd30-A-- BLAH BLAHBLAH BLAHBLAH BLAHBLAH BLAH BLAH BLAHBLAH BLAHBLAH BLAH BLAH BLAHBLAH BLAHBLAH BLAH --ac50ad30-H-- BLAH BLAHBLAH BLAHBLAH BLAHBLAH BLAH BLAH BLAHBLAH BLAHBLAH BLAH BLAH BLAHBLAH BLAHBLAH BLAH --090e4955-A-- BLAH BLAHBLAH BLAHBLAH BLAHBLAH BLAH BLAH BLAHBLAH BLAHBLAH BLAH BLAH BLAHBLAH BLAHBLAH BLAH </CODE></PRE> Tue, 29 Sep 2020 11:17:57 GMT https://community.splunk.com/t5/Getting-Data-In/Time-stamp-stanza/m-p/233412#M45530 sbattista09 2020-09-29T11:17:57Z https://community.splunk.com/t5/Getting-Data-In/Time-stamp-stanza/m-p/233413#M45531 <P>Try this:</P> <PRE><CODE>TIME_PREFIX = .*?\[ TIME_FORMAT = %d/%b/%Y:%H:%M:%S -%z MAX_TIMESTAMP_LOOKAHEAD = 28 </CODE></PRE> <P>This is a good blog I put together if you have multiple time formats in the same log file and some events with nothing: <A href="http://blogs.splunk.com/2014/04/23/its-that-time-again">http://blogs.splunk.com/2014/04/23/its-that-time-again</A></P> <P>For events with no dates at all, just set:</P> <PRE><CODE>DATETIME_CONFIG = current </CODE></PRE> Wed, 05 Oct 2016 13:10:19 GMT https://community.splunk.com/t5/Getting-Data-In/Time-stamp-stanza/m-p/233413#M45531 dmaislin_splunk 2016-10-05T13:10:19Z https://community.splunk.com/t5/Getting-Data-In/Time-stamp-stanza/m-p/233414#M45532 <P>For the logs with timestamp, splunk should automatically recognize the timeformat. If it doesn't use this</P> <PRE><CODE>TIME_FORMAT=%d/%b/%Y:%X TIME_PREFIX=\[ MAX_TIMESTAMP_LOOKAHEAD=25 </CODE></PRE> <P>For the logs without timestamp, try this</P> <PRE><CODE>DATETIME_CONFIG=CURRENT </CODE></PRE> Wed, 05 Oct 2016 13:13:34 GMT https://community.splunk.com/t5/Getting-Data-In/Time-stamp-stanza/m-p/233414#M45532 sundareshr 2016-10-05T13:13:34Z https://community.splunk.com/t5/Getting-Data-In/Time-stamp-stanza/m-p/233415#M45533 <P>awesome! so its okay to add all this in one stanza in props.conf?</P> <P>[sourcetype_name]<BR /> TIME_PREFIX = .*?[<BR /> TIME_FORMAT = %d/%b/%Y:%H:%M:%S -%z<BR /> MAX_TIMESTAMP_LOOKAHEAD = 28<BR /> DATETIME_CONFIG = current</P> Tue, 29 Sep 2020 11:18:00 GMT https://community.splunk.com/t5/Getting-Data-In/Time-stamp-stanza/m-p/233415#M45533 sbattista09 2020-09-29T11:18:00Z https://community.splunk.com/t5/Getting-Data-In/Time-stamp-stanza/m-p/233416#M45534 <P>I believe that you can do it on the indexer by specifying the following in <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Timestamp_extraction_configuration">props.conf</A></P> <PRE><CODE>[mysourcetype] DATETIME_CONFIG = CURRENT </CODE></PRE> <P>From the <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Timestamp_extraction_configuration">props.conf</A> documentation we can see that</P> <BLOCKQUOTE> <P><EM>"CURRENT"</EM> will set the time of the event to the time that the event was<BR /> merged from lines, or worded differently, the time it passed through the<BR /> aggregator processor.</P> </BLOCKQUOTE> <P><EM>DATETIME_CONFIG</EM> is usually used to specify the file that configures the timestamp extractor, but can also be used to prevent a timestamp extractor or assign the current system time to each event.</P> <P>More information can be found here:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf</A></P> <P>Hope this helps</P> <P>Cheers,</P> Wed, 05 Oct 2016 13:20:34 GMT https://community.splunk.com/t5/Getting-Data-In/Time-stamp-stanza/m-p/233416#M45534 tormodbp 2016-10-05T13:20:34Z https://community.splunk.com/t5/Getting-Data-In/Time-stamp-stanza/m-p/233417#M45535 <P>But DATETIME_CONFIG=current will override the settings for timestamp configurations and will set all timestamps to the current time. I don't know your data so not sure if you need a custom DATETIME_CONFIG file.</P> Tue, 29 Sep 2020 11:17:15 GMT https://community.splunk.com/t5/Getting-Data-In/Time-stamp-stanza/m-p/233417#M45535 dmaislin_splunk 2020-09-29T11:17:15Z