https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-TIME-FORMAT-to-recognize-2/m-p/284708#M54380 <P>Exactly what i already built. Very useful. You can also recycle some stuff of the original datetime.xml</P> Thu, 07 Jun 2018 02:20:32 GMT effem 2018-06-07T02:20:32Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-TIME-FORMAT-to-recognize-2/m-p/284704#M54376 <P>I have a log that has time expressed like this <CODE>20151218111015</CODE>. So that would be December 18th, 2015 11:10:15. However, sometimes it doesn't have the seconds. So, the props.conf TIME_FORMAT could be either <CODE>%Y%m%d%H%M%S</CODE> or <CODE>%Y%m%d%H%M</CODE>. If I put in the first, then the events without seconds don't get the correct time ... they just get the time that the event was indexed. If I put in the second, then none of my events have seconds. Is there any way around this? I would like it to keep the seconds if they exist.</P> Fri, 18 Dec 2015 19:16:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-TIME-FORMAT-to-recognize-2/m-p/284704#M54376 dstuder 2015-12-18T19:16:21Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-TIME-FORMAT-to-recognize-2/m-p/284705#M54377 <P>It's a tricky one. If you have any control over the log format try to fix that first. It should be consistent.</P> <P>If that's not possible then I would go for the one without seconds in your universal fw and then capture the seconds with regex and overwrite the timestamp before indexing. I can't remember whether this is possible or not for the timestamp but it's definitely doable for other meta fields such as host or source type. </P> <P>Keep in mind this is going to add an unnecessary load in your indexer or heavy forwarder but if your time is not consistent you don't have that many options I'm afraid. </P> <P>Thanks,<BR /> J</P> Fri, 18 Dec 2015 20:00:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-TIME-FORMAT-to-recognize-2/m-p/284705#M54377 javiergn 2015-12-18T20:00:44Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-TIME-FORMAT-to-recognize-2/m-p/284706#M54378 <P>See if this post answers your question</P> <P><A href="http://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem">http://www.function1.com/2013/01/oh-no-splunking-log-files-with-multiple-formats-no-problem</A></P> Fri, 18 Dec 2015 20:03:19 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-TIME-FORMAT-to-recognize-2/m-p/284706#M54378 sundareshr 2015-12-18T20:03:19Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-TIME-FORMAT-to-recognize-2/m-p/284707#M54379 <P>Already answered here: <A href="https://answers.splunk.com/answering/11189/view.html" target="_blank">https://answers.splunk.com/answering/11189/view.html</A></P> <BLOCKQUOTE> <P>If there are multiple timestamps, you can use a custom DATETIME_CONFIG instead of specifying TIME_FORMAT and TIME_PREFIX.</P> </BLOCKQUOTE> Tue, 29 Sep 2020 16:28:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-TIME-FORMAT-to-recognize-2/m-p/284707#M54379 goelli 2020-09-29T16:28:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-TIME-FORMAT-to-recognize-2/m-p/284708#M54380 <P>Exactly what i already built. Very useful. You can also recycle some stuff of the original datetime.xml</P> Thu, 07 Jun 2018 02:20:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-props-conf-TIME-FORMAT-to-recognize-2/m-p/284708#M54380 effem 2018-06-07T02:20:32Z