https://community.splunk.com/t5/Getting-Data-In/Trying-to-configure-timestamp-extraction/m-p/32384#M5757 <P>Am trying to index log entries there the time stamp information is at the starting of the first line of each log entry.<BR /> Sample timestamps from entries in a couple of types of associated log files are: <BR /> [7/17/10 4:24:53:269 CST] 00000048 SystemErr . . . <BR /> [10/5/11 11:55:08:992 PDT] 00000029 SystemOut . . . <BR /> [11/30/11 8:09:06:400 PST] 0000006e SystemOut . . . <BR /> [12/9/11 0:52:10:743 PST] 0000000a ResourceMgrIm . . . <BR /> 2/17/10 02:38:11 AM CST [INFO] [...Agent] . . .<BR /> 10/28/10 08:29:01 PM CDT [ERROR] [...Agent.Properties] . . .<BR /> 12/09/10 10:08:33 PM CST [WARN] [...Agent] . . .<BR /> 11/30/11 08:11:08 PM PST [INFO] [...Agent] . . . </P> <P>This is obviously ambiguous in form for date ( since 11/9/10 fould be year 2010 or 2011.<BR /> Have tried the following but doesn't work with recent entries at least those form of 1st 4 from today. Splunk doesnt recognize the time stamp. Am suspecting an issue with the day portion since only a single digit. Can't seem to find if there is a day designator form that allows for a single digit.</P> <P>In Applications's props.conf file:<BR /> [host::sample]<BR /> TIME_PREFIX = ^.<BR /> MAX_TIMESTAMP_LOOKAHEAD = 22<BR /> TIME_FORMAT = %y/%d/%m %k%M%S</P> <P>Anyone have some good suggestions? </P> Mon, 28 Sep 2020 10:12:46 GMT clmiller 2020-09-28T10:12:46Z https://community.splunk.com/t5/Getting-Data-In/Trying-to-configure-timestamp-extraction/m-p/32384#M5757 <P>Am trying to index log entries there the time stamp information is at the starting of the first line of each log entry.<BR /> Sample timestamps from entries in a couple of types of associated log files are: <BR /> [7/17/10 4:24:53:269 CST] 00000048 SystemErr . . . <BR /> [10/5/11 11:55:08:992 PDT] 00000029 SystemOut . . . <BR /> [11/30/11 8:09:06:400 PST] 0000006e SystemOut . . . <BR /> [12/9/11 0:52:10:743 PST] 0000000a ResourceMgrIm . . . <BR /> 2/17/10 02:38:11 AM CST [INFO] [...Agent] . . .<BR /> 10/28/10 08:29:01 PM CDT [ERROR] [...Agent.Properties] . . .<BR /> 12/09/10 10:08:33 PM CST [WARN] [...Agent] . . .<BR /> 11/30/11 08:11:08 PM PST [INFO] [...Agent] . . . </P> <P>This is obviously ambiguous in form for date ( since 11/9/10 fould be year 2010 or 2011.<BR /> Have tried the following but doesn't work with recent entries at least those form of 1st 4 from today. Splunk doesnt recognize the time stamp. Am suspecting an issue with the day portion since only a single digit. Can't seem to find if there is a day designator form that allows for a single digit.</P> <P>In Applications's props.conf file:<BR /> [host::sample]<BR /> TIME_PREFIX = ^.<BR /> MAX_TIMESTAMP_LOOKAHEAD = 22<BR /> TIME_FORMAT = %y/%d/%m %k%M%S</P> <P>Anyone have some good suggestions? </P> Mon, 28 Sep 2020 10:12:46 GMT https://community.splunk.com/t5/Getting-Data-In/Trying-to-configure-timestamp-extraction/m-p/32384#M5757 clmiller 2020-09-28T10:12:46Z https://community.splunk.com/t5/Getting-Data-In/Trying-to-configure-timestamp-extraction/m-p/32385#M5758 <P>See my answer to a similar question</P> <P><A href="http://splunk-base.splunk.com/answers/36207/how-do-i-configure-timestamp-extraction-where-day-may-be-one-or-two-digits">http://splunk-base.splunk.com/answers/36207/how-do-i-configure-timestamp-extraction-where-day-may-be-one-or-two-digits</A></P> <P>hth,</P> <P>Kristian</P> Thu, 15 Dec 2011 11:50:48 GMT https://community.splunk.com/t5/Getting-Data-In/Trying-to-configure-timestamp-extraction/m-p/32385#M5758 kristian_kolb 2011-12-15T11:50:48Z