topic How do I edit my datetime.xml file for my custom date and time to be recognized in Splunk? in Getting Data In

How do I edit my datetime.xml file for my custom date and time to be recognized in Splunk?

gagi76 — Wed, 25 May 2016 07:27:47 GMT

Hi everyone,

Can someone tell me what I'm suppose to edit in my datetime.xml file for my custom date and time to be recognized in Splunk? Here is example of a log:

I have tried:
datetime.xml

<datetime>
<define name="Date" extract="year, month, day">
<text>\<DATE>(\d{4})(\d{2})(\d{2})</text>
</define>

<define name="Time" extract="hour, minute, second">
<text>\<TIME>(\d{2})(\d{2})(\d{2})</text>
</define>

<timePatterns>
<use name="Time"/>
</timePatterns>

<datePatterns>
<use name="Date"/>
</datePatterns>

</datetime>

props.conf

DATETIME_CONFIG = /etc/system/local/datetime.xml

I think I'm missing something here....

Thanks, cheers

Re: How do I edit my datetime.xml file for my custom date and time to be recognized in Splunk?

gagi76 — Wed, 25 May 2016 19:00:52 GMT

I changed it few times, and now looks like this and again splunk does not recognize date and time... any ideas?

First I did it with this props.conf:

DATETIME_CONFIG = C:\Program Files\Splunk\etc\system\local\datetime.xml

Second time with this props.conf:

DATETIME_CONFIG = C:\Program Files\Splunk\etc\system\local\datetime.xml
TIME_PREFIX = DATE\>
TIME_FORMAT = %Y%m%d</DATE><TIME>%H%M%S

And my datetime.xml looks like this now :

<?xml version="1.0" encoding="UTF-8"?>

<datetime>
<define name="_Date" extract="year, month, day">
    <text>\DATE>(\d{4})(\d{2})(\d{2})</text>
</define>

<define name="_Time" extract="hour, minute, second">
    <text>\TIME>(\d{2})(\d{2})(\d{2})</text>
</define>

<timePatterns>
    <use name="_Date"/>
    <use name="_Time"/>
</timePatterns>

<datePatterns>
    <use name="_Date"/>
    <use name="_Time"/>
</datePatterns>
</datetime>

Re: How do I edit my datetime.xml file for my custom date and time to be recognized in Splunk?

woodcock — Thu, 26 May 2016 16:42:01 GMT

Once you switch to datetime.xml, the other time configurations do not work.

DO NOT EDIT /etc/system/local/datetime.xml!

Create a new file inside of your app:

/etc/apps/YourApp/default/datetime.xml

In any case, you don't need a custom datetime.xml and I wouldn't do it that way because it is complicated and unnecessary.

In props.conf all you should need is this:

TIME_PREFIX = "<LOG><DATE>"
TIME_FORMAT = %Y%m%d</DATE><TIME>%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 27

This, of course, presumes that you have event line-breaking working correctly.

Re: How do I edit my datetime.xml file for my custom date and time to be recognized in Splunk?

gagi76 — Fri, 27 May 2016 06:40:01 GMT

i succeeded with :

TIME_PREFIX = DATE>
TIME_FORMAT = %Y%m%d</DATE><TIME>%H%M%S

Thanks for datetime.xml tips.

cheers

Re: How do I edit my datetime.xml file for my custom date and time to be recognized in Splunk?

markusspitzli2 — Wed, 22 Jun 2016 08:50:52 GMT

Hey.

I have the same issue, but the date and time fields are on separate lines. How would you solve this?

...
<Date>20151130</Date>
<Time>082327</Time>
<Client>600</Client>
...

thanks
Markus

Re: How do I edit my datetime.xml file for my custom date and time to be recognized in Splunk?

markusspitzli2 — Wed, 22 Jun 2016 09:19:48 GMT

I just got the answer by myself:

     TIME_FORMAT = %Y%m%d</DATE>%n<TIME>%H%M%S