<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic problems with time stamp extraction in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/problems-with-time-stamp-extraction/m-p/286884#M54802</link>
    <description>&lt;P&gt;I have been given a log file to ingest into Splunk as part of a Lab exercise, but Splunk it not extracting the time and date correctly.&lt;BR /&gt;
The log has a strange format and Splunk is trying to the last octet of the IP Address as the year&lt;BR /&gt;
The file looks like&lt;BR /&gt;
site: 1 [16--07--01 07:01:00.001] 192.168.3.14 07 22 ErrorCode=43685  Aborted &lt;BR /&gt;
site: 2 [16--07--01 07:02:14.010] 192.168.3.15 07 22 ErrorCode=43681  Abend&lt;BR /&gt;
site: 1 [16--07--01 07:03:55.001] 192.168.3.15 07 21 ErrorCode=43685  Aborted&lt;/P&gt;

&lt;P&gt;Is there an easy way to resolve this issue?&lt;/P&gt;</description>
    <pubDate>Fri, 29 Jul 2016 06:46:36 GMT</pubDate>
    <dc:creator>dshakespeare_sp</dc:creator>
    <dc:date>2016-07-29T06:46:36Z</dc:date>
    <item>
      <title>problems with time stamp extraction</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/problems-with-time-stamp-extraction/m-p/286884#M54802</link>
      <description>&lt;P&gt;I have been given a log file to ingest into Splunk as part of a Lab exercise, but Splunk it not extracting the time and date correctly.&lt;BR /&gt;
The log has a strange format and Splunk is trying to the last octet of the IP Address as the year&lt;BR /&gt;
The file looks like&lt;BR /&gt;
site: 1 [16--07--01 07:01:00.001] 192.168.3.14 07 22 ErrorCode=43685  Aborted &lt;BR /&gt;
site: 2 [16--07--01 07:02:14.010] 192.168.3.15 07 22 ErrorCode=43681  Abend&lt;BR /&gt;
site: 1 [16--07--01 07:03:55.001] 192.168.3.15 07 21 ErrorCode=43685  Aborted&lt;/P&gt;

&lt;P&gt;Is there an easy way to resolve this issue?&lt;/P&gt;</description>
      <pubDate>Fri, 29 Jul 2016 06:46:36 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/problems-with-time-stamp-extraction/m-p/286884#M54802</guid>
      <dc:creator>dshakespeare_sp</dc:creator>
      <dc:date>2016-07-29T06:46:36Z</dc:date>
    </item>
    <item>
      <title>Re: problems with time stamp extraction</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/problems-with-time-stamp-extraction/m-p/286885#M54803</link>
      <description>&lt;P&gt;Congratulations! - you have used Splunk Answers to find the answer to the Lab.&lt;BR /&gt;
I am willing to provide some clues to assist.&lt;/P&gt;

&lt;P&gt;Try ingesting the log into Splunk using the Data Inputs GUI and use Data Preview.&lt;BR /&gt;
You will see the date is in a non-standard format and the IP address has been designed to look like a year.&lt;BR /&gt;
You will need to set the following&lt;BR /&gt;
A Time Stamp Format to deal with the time stamp&lt;BR /&gt;
A Time Stamp Prefix to locate the time stamp (hint you may need a regex for this - regex101.com is a good place to test this&lt;BR /&gt;
A Time Stamp Look Ahead &lt;/P&gt;

&lt;P&gt;The Splunk Admin Manual and the Splunk Cheat Sheet will also provide help&lt;/P&gt;</description>
      <pubDate>Fri, 29 Jul 2016 06:57:28 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/problems-with-time-stamp-extraction/m-p/286885#M54803</guid>
      <dc:creator>dshakespeare_sp</dc:creator>
      <dc:date>2016-07-29T06:57:28Z</dc:date>
    </item>
    <item>
      <title>Re: problems with time stamp extraction</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/problems-with-time-stamp-extraction/m-p/286886#M54804</link>
      <description>&lt;P&gt;For your sourcetype, you need to look at specifying the timestamp format, along with a few other options.. Another thing is that your year/m/d format isnt a supported type out of the box... &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[mysourcetype]
DATETIME_CONFIG = NONE
TIME_PREFIX = ^\[
TIME_FORMAT = %m--%d--%y %H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD = 26
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Configuretimestamprecognition"&gt;http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Configuretimestamprecognition&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 29 Jul 2016 06:58:23 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/problems-with-time-stamp-extraction/m-p/286886#M54804</guid>
      <dc:creator>esix_splunk</dc:creator>
      <dc:date>2016-07-29T06:58:23Z</dc:date>
    </item>
    <item>
      <title>Re: problems with time stamp extraction</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/problems-with-time-stamp-extraction/m-p/286887#M54805</link>
      <description>&lt;P&gt;You  need to specify values for &lt;CODE&gt;TIME_PREFIX&lt;/CODE&gt; and &lt;CODE&gt;TIME_FORMAT&lt;/CODE&gt; for your file.  To help you any more would be inappropriate because you are supposed to do the work yourself.&lt;/P&gt;</description>
      <pubDate>Fri, 29 Jul 2016 23:24:02 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/problems-with-time-stamp-extraction/m-p/286887#M54805</guid>
      <dc:creator>woodcock</dc:creator>
      <dc:date>2016-07-29T23:24:02Z</dc:date>
    </item>
    <item>
      <title>Re: problems with time stamp extraction</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/problems-with-time-stamp-extraction/m-p/286888#M54806</link>
      <description>&lt;P&gt;You are BOTH Correct. I set this as a "new starter" challenge. &lt;BR /&gt;
The task was 2 fold.&lt;BR /&gt;
 1. How to deal with a non standard timestamp&lt;BR /&gt;
 2. To see the power of Splunk Answers (and not have to re-invent the wheel)&lt;/P&gt;

&lt;P&gt;BTW eric I think TIME_PREFIX = ^[   should read TIME_PREFIX = [ &lt;/P&gt;

&lt;P&gt;&lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 10:26:41 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/problems-with-time-stamp-extraction/m-p/286888#M54806</guid>
      <dc:creator>dshakespeare_sp</dc:creator>
      <dc:date>2020-09-29T10:26:41Z</dc:date>
    </item>
  </channel>
</rss>

