https://community.splunk.com/t5/Getting-Data-In/Is-the-configuration-for-my-timestamp-correct/m-p/264965#M50863 <P>I have a problem with the right extraction of timestamp in a log file. The string example of my log :</P> <PRE><CODE>161206 152835 LNX64 3 PWX-36145 ORAD Info Mbr 2: + Low SCN 6120947915182. Low SCN Time 12/06/2016 14:58:17. 161206 152835 LNX64 3 PWX-36146 ORAD Info Mbr 2: + Next SCN 6120950880737. Next SCN Time 12/06/2016 15:27:58. 161206 152900 LNX64 3 PWX-36117 ORAD Info Mbr 3: Reader is waiting for log sequence 36736 with start SCN 6120950700533 to be archived. 161206 152908 LNX64 3 PWX-36440 ORAD Info: Monitor messages begin (2016/12/06 15:29:08). 161206 152908 LNX64 3 PWX-36441 ORAD Info: Interval return counts: no data 114, commits 32717, inserts 35394, updates 5898, deletes 118. 161206 152908 LNX64 3 PWX-36442 ORAD Info: Interval TMGR counts: no data 124, transaction control 529871, operations 109033, other 0. </CODE></PRE> <P>this my props.conf :</P> <PRE><CODE>[etl-pwxccl_log2] CHARSET = UTF-8 TIME_PREFIX=^ MAX_TIMESTAMP_LOOKAHEAD = 14 TIME_FORMAT = %Y%m%d %H%M%S SHOULD_LINEMERGE = false disabled = false REPORT-pwxccl = etl-pwxxccl-fields </CODE></PRE> <P>this my transforms.conf:</P> <PRE><CODE>[etl-pwxxccl-fields] REGEX= ^(?P\d+)\s+(?P\d+)\s+(?P.+) FORMAT = DATA::"$1" ORA::"$2" MESSAGE::"$3" WRITE_META=1 </CODE></PRE> <P>With this configuration the extraction of date is correct but is the time incorrect (recovered in other places of the log line?) </P> <P>Can someone help me?</P> Wed, 07 Dec 2016 10:59:03 GMT patriziadepaola 2016-12-07T10:59:03Z https://community.splunk.com/t5/Getting-Data-In/Is-the-configuration-for-my-timestamp-correct/m-p/264965#M50863 <P>I have a problem with the right extraction of timestamp in a log file. The string example of my log :</P> <PRE><CODE>161206 152835 LNX64 3 PWX-36145 ORAD Info Mbr 2: + Low SCN 6120947915182. Low SCN Time 12/06/2016 14:58:17. 161206 152835 LNX64 3 PWX-36146 ORAD Info Mbr 2: + Next SCN 6120950880737. Next SCN Time 12/06/2016 15:27:58. 161206 152900 LNX64 3 PWX-36117 ORAD Info Mbr 3: Reader is waiting for log sequence 36736 with start SCN 6120950700533 to be archived. 161206 152908 LNX64 3 PWX-36440 ORAD Info: Monitor messages begin (2016/12/06 15:29:08). 161206 152908 LNX64 3 PWX-36441 ORAD Info: Interval return counts: no data 114, commits 32717, inserts 35394, updates 5898, deletes 118. 161206 152908 LNX64 3 PWX-36442 ORAD Info: Interval TMGR counts: no data 124, transaction control 529871, operations 109033, other 0. </CODE></PRE> <P>this my props.conf :</P> <PRE><CODE>[etl-pwxccl_log2] CHARSET = UTF-8 TIME_PREFIX=^ MAX_TIMESTAMP_LOOKAHEAD = 14 TIME_FORMAT = %Y%m%d %H%M%S SHOULD_LINEMERGE = false disabled = false REPORT-pwxccl = etl-pwxxccl-fields </CODE></PRE> <P>this my transforms.conf:</P> <PRE><CODE>[etl-pwxxccl-fields] REGEX= ^(?P\d+)\s+(?P\d+)\s+(?P.+) FORMAT = DATA::"$1" ORA::"$2" MESSAGE::"$3" WRITE_META=1 </CODE></PRE> <P>With this configuration the extraction of date is correct but is the time incorrect (recovered in other places of the log line?) </P> <P>Can someone help me?</P> Wed, 07 Dec 2016 10:59:03 GMT https://community.splunk.com/t5/Getting-Data-In/Is-the-configuration-for-my-timestamp-correct/m-p/264965#M50863 patriziadepaola 2016-12-07T10:59:03Z https://community.splunk.com/t5/Getting-Data-In/Is-the-configuration-for-my-timestamp-correct/m-p/264966#M50864 <P>Since its 2-digit year (YY), try lower case <CODE>%y</CODE>. Like this <CODE>%y%m%d %H%M%S</CODE></P> Wed, 07 Dec 2016 13:42:57 GMT https://community.splunk.com/t5/Getting-Data-In/Is-the-configuration-for-my-timestamp-correct/m-p/264966#M50864 sundareshr 2016-12-07T13:42:57Z