topic Re: configuring TIME_FORMAT in Getting Data In

configuring TIME_FORMAT

kerne1 — Mon, 28 Sep 2020 12:12:25 GMT

Hello, our logs have ISO 8601 date format with shorted year (YY instead of YYYY): "12-08-06 04:42:10". It is 6 of August 2012 but Splunk think it is 12 of August 2006.

I've added to props.conf:
TIME_FORMAT = %y-%m-%d %H:%M:%S
but this didn't change anything.

the full config:



    [source::/var/log/access*]

    #12-08-03 19:48:40 "user1|g" 1.2.3.4 "CONNECT www.example.com:443" 

    EXTRACT-access = ^(?P<datestamp>[^ ]+) (?P<timestamp>[^ ]+) "(?P<auth_user>[^|])|(?P<profile>[^"])" (?P<src_ip>[^ ]+) "(?P<method>[A-Z]+) (?P<url>[^"]+)"

    TIME_FORMAT = %y-%m-%d %H:%M:%S

any idea how to configure?

thanks

Re: configuring TIME_FORMAT

kerne1 — Tue, 07 Aug 2012 13:53:16 GMT

sorry for misleading, the html tags come from Markdown and doesn't belong to the config.

this ist the log line:
12-08-03 19:48:40 "user1|g" 1.2.3.4 "CONNECT www.example.com:443"
this is the props.conf (I've removed the EXTRACT expression for clarity):

[source::/var/log/access*]
TIME_FORMAT = %y-%m-%d %H:%M:%S

Re: configuring TIME_FORMAT

dmaislin_splunk — Mon, 28 Sep 2020 12:12:30 GMT

MAX_TIMESTAMP_LOOKAHEAD=20
SHOULD_LINEMERGE=false
TIME_FORMAT=%y-%m-%d %H:%M:%S
TIME_PREFIX=^

Re: configuring TIME_FORMAT

blebit — Fri, 24 Jan 2014 08:53:29 GMT

hello, can we push this from Deployment Monitor ???

Re: configuring TIME_FORMAT

pmocek — Wed, 02 Apr 2014 21:55:39 GMT

Your logs are not using ISO 8601. It specifies four-digit years. There is no provision in it for a two-digit year.

Re: configuring TIME_FORMAT

hetzere — Tue, 10 May 2016 14:55:14 GMT

I downvoted this post because op stated the exception, and the comment does nothing to answer the question.