topic Custom Datetime.xml not working for log with multiple timestamp in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Custom-Datetime-xml-not-working-for-log-with-multiple-timestamp/m-p/306097#M57735 <P>Hello,</P> <P>We have log which have 5 different timestamp. I am trying to use custom datetime.xml created using splunk train dates cmd but it is not working.</P> <P>Different Timestamps</P> <P>2018-01-05_18:15:42.208<BR /> 2018-01-05 18:15:42<BR /> Jan 5, 2018 6:15:52 PM<BR /> &lt;05-Jan-2018 6:15:58,916 EST PM&gt;</P> <P>custom datetime.xml</P> <PRE><CODE> &lt;text&gt;&lt;![CDATA[\&lt;(\w+)\s(\d+),\s(\d+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[,\s\d+\s(\d+):(\d+):(\d+)\s(\w+)\s(\w+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[(\d+)-(\d+)-(\d+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[-\d+-\d+_(\d+):(\d+):(\d+)\.(\d+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[(\d+)-(\d+)-(\d+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[-\d+-\d+\s(\d+):(\d+):(\d+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[(\w+)\s(\d+),\s(\d+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[,\s\d+\s(\d+):(\d+):(\d+)\s(\w+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[\&lt;(\d+)-(\w+)-(\d+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[\w-\d+\s(\d+):(\d+):(\d+),\d+\s(\w+)\s(\w+)]]&gt;&lt;/text&gt; </CODE></PRE> <P>props.conf<BR /> TZ_ALIAS=EST=GMT+11<BR /> SHOULD_LINEMERGE=false<BR /> NO_BINARY_CHECK=true<BR /> CHARSET=UTF-8<BR /> disabled=false<BR /> DATETIME_CONFIG = /opt/splunk/etc/system/local/datetime.xml<BR /> LINE_BREAKER=([\r\n]+)(?:(?:&lt;(\w{3})\s(\d{1,2}),\s(\d{4})\s(\d{1,2}):(\d{2}):(\d{2})\s(\w{2})\s(\w{3})&gt;)|(?:(\d{4})-(\d{2})-(\d{2})_(\d{2}):(\d{2}):(\d{2}).(\d{3}))|(?:(\d{4})-(\d{2})-(\d{2})\s(\d{2}):(\d{2}):(\d{2}))|(?:(\w{3})\s(\d{1,2}),\s(\d{4})\s(\d{1,2}):(\d{2}):(\d{2})\s(\w{2}))|(?:&lt;(\d{1,2})-(\w{3})-(\d{4})\s(\d{1,2}):(\d{2}):(\d{2}),(\d{3})\s(\w{3})\s(\w{2})&gt;))</P> <P>When testing using above configuration using Add Data - Splunk is not showing any data and reporting "No results found. Please change source type, adjust source type settings, or check your source file."</P> Tue, 29 Sep 2020 17:39:15 GMT hemendralodhi 2020-09-29T17:39:15Z Custom Datetime.xml not working for log with multiple timestamp https://community.splunk.com/t5/Getting-Data-In/Custom-Datetime-xml-not-working-for-log-with-multiple-timestamp/m-p/306097#M57735 <P>Hello,</P> <P>We have log which have 5 different timestamp. I am trying to use custom datetime.xml created using splunk train dates cmd but it is not working.</P> <P>Different Timestamps</P> <P>2018-01-05_18:15:42.208<BR /> 2018-01-05 18:15:42<BR /> Jan 5, 2018 6:15:52 PM<BR /> &lt;05-Jan-2018 6:15:58,916 EST PM&gt;</P> <P>custom datetime.xml</P> <PRE><CODE> &lt;text&gt;&lt;![CDATA[\&lt;(\w+)\s(\d+),\s(\d+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[,\s\d+\s(\d+):(\d+):(\d+)\s(\w+)\s(\w+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[(\d+)-(\d+)-(\d+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[-\d+-\d+_(\d+):(\d+):(\d+)\.(\d+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[(\d+)-(\d+)-(\d+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[-\d+-\d+\s(\d+):(\d+):(\d+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[(\w+)\s(\d+),\s(\d+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[,\s\d+\s(\d+):(\d+):(\d+)\s(\w+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[\&lt;(\d+)-(\w+)-(\d+)]]&gt;&lt;/text&gt; &lt;text&gt;&lt;![CDATA[\w-\d+\s(\d+):(\d+):(\d+),\d+\s(\w+)\s(\w+)]]&gt;&lt;/text&gt; </CODE></PRE> <P>props.conf<BR /> TZ_ALIAS=EST=GMT+11<BR /> SHOULD_LINEMERGE=false<BR /> NO_BINARY_CHECK=true<BR /> CHARSET=UTF-8<BR /> disabled=false<BR /> DATETIME_CONFIG = /opt/splunk/etc/system/local/datetime.xml<BR /> LINE_BREAKER=([\r\n]+)(?:(?:&lt;(\w{3})\s(\d{1,2}),\s(\d{4})\s(\d{1,2}):(\d{2}):(\d{2})\s(\w{2})\s(\w{3})&gt;)|(?:(\d{4})-(\d{2})-(\d{2})_(\d{2}):(\d{2}):(\d{2}).(\d{3}))|(?:(\d{4})-(\d{2})-(\d{2})\s(\d{2}):(\d{2}):(\d{2}))|(?:(\w{3})\s(\d{1,2}),\s(\d{4})\s(\d{1,2}):(\d{2}):(\d{2})\s(\w{2}))|(?:&lt;(\d{1,2})-(\w{3})-(\d{4})\s(\d{1,2}):(\d{2}):(\d{2}),(\d{3})\s(\w{3})\s(\w{2})&gt;))</P> <P>When testing using above configuration using Add Data - Splunk is not showing any data and reporting "No results found. Please change source type, adjust source type settings, or check your source file."</P> Tue, 29 Sep 2020 17:39:15 GMT https://community.splunk.com/t5/Getting-Data-In/Custom-Datetime-xml-not-working-for-log-with-multiple-timestamp/m-p/306097#M57735 hemendralodhi 2020-09-29T17:39:15Z Re: Custom Datetime.xml not working for log with multiple timestamp https://community.splunk.com/t5/Getting-Data-In/Custom-Datetime-xml-not-working-for-log-with-multiple-timestamp/m-p/306098#M57736 <P>Here is the configuration for datetime.xml<BR /> <A href="https://answers.splunk.comstorage/temp/225725-datetime-xml.txt">datetime.xml</A></P> Mon, 15 Jan 2018 07:12:04 GMT https://community.splunk.com/t5/Getting-Data-In/Custom-Datetime-xml-not-working-for-log-with-multiple-timestamp/m-p/306098#M57736 hemendralodhi 2018-01-15T07:12:04Z