https://community.splunk.com/t5/Getting-Data-In/Properly-Extract-Time-from-custom-Data-Set/m-p/251376#M48385 <P>Your time format is wrong. It should be uppercase Y for the year if it includes centuary</P> <PRE> TIME_FORMAT = %Y-%m-%d %H:%M:%S:%3N </PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Commontimeformatvariables">http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Commontimeformatvariables</A></P> Thu, 01 Oct 2015 13:58:56 GMT pradeepkumarg 2015-10-01T13:58:56Z https://community.splunk.com/t5/Getting-Data-In/Properly-Extract-Time-from-custom-Data-Set/m-p/251375#M48384 <P>Hello, I have the follow data set comprised of custom weblog output:</P> <PRE><CODE>2015-08-08 12:40:03:163 UserID="37" userGroup="helloworld1192" userRole="test82" commonName="insertnamehereagainandagain" certName="HENRY.T.WASHINGTON" ipAddress="192.168.1.83" userBrowser="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" </CODE></PRE> <P>I have the following in my Props.conf on the indexer:</P> <PRE><CODE>[customwebtest] LINE_BREAKER = (\d{4}\S\d{2}\S\d{2}\s\d{2}\S\d{2}\S\d{2}\S\d{3}) SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false MAX_TIMESTAMP_LOOKAHEAD = 23 TIME_PREFIX = ^ TIME_FORMAT = (%y-%m-%d %H:%M:%S:%3N) </CODE></PRE> <P>Problem is in Splunk it's excluding the event timestamp and using the time at ingestion. What am I doing wrong here?</P> <P>Thanks!</P> Thu, 01 Oct 2015 13:51:32 GMT https://community.splunk.com/t5/Getting-Data-In/Properly-Extract-Time-from-custom-Data-Set/m-p/251375#M48384 hagjos43 2015-10-01T13:51:32Z https://community.splunk.com/t5/Getting-Data-In/Properly-Extract-Time-from-custom-Data-Set/m-p/251376#M48385 <P>Your time format is wrong. It should be uppercase Y for the year if it includes centuary</P> <PRE> TIME_FORMAT = %Y-%m-%d %H:%M:%S:%3N </PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Commontimeformatvariables">http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Commontimeformatvariables</A></P> Thu, 01 Oct 2015 13:58:56 GMT https://community.splunk.com/t5/Getting-Data-In/Properly-Extract-Time-from-custom-Data-Set/m-p/251376#M48385 pradeepkumarg 2015-10-01T13:58:56Z https://community.splunk.com/t5/Getting-Data-In/Properly-Extract-Time-from-custom-Data-Set/m-p/251377#M48386 <P>The value of the LINE_BREAKER attribute is the event separator - characters that come between events. Whatever matches the first capturing group is discarded. If your log has one event per line then the default <CODE>LINE_BREAKER=\n</CODE> should be sufficient.</P> Tue, 29 Sep 2020 07:27:20 GMT https://community.splunk.com/t5/Getting-Data-In/Properly-Extract-Time-from-custom-Data-Set/m-p/251377#M48386 richgalloway 2020-09-29T07:27:20Z https://community.splunk.com/t5/Getting-Data-In/Properly-Extract-Time-from-custom-Data-Set/m-p/251378#M48387 <P>Remove your LINE_BREAKER and you should be fine.</P> <P>Cheers,</P> <P>Andreas</P> Thu, 01 Oct 2015 14:06:22 GMT https://community.splunk.com/t5/Getting-Data-In/Properly-Extract-Time-from-custom-Data-Set/m-p/251378#M48387 schose 2015-10-01T14:06:22Z