https://community.splunk.com/t5/Getting-Data-In/Time-format-having-pipe-quot-quot/m-p/33841#M6081 <P>Hi There,</P> <P>I am having trouble recognizing time format of %Y%m%d|%H%M%S (e.g. |20130813|235858 )</P> <P>I have tried using the following settings in props.conf</P> <PRE><CODE>TIME_PREFIX = \| TIME_FORMAT = %Y%m%d\|%H%M%S </CODE></PRE> <P>and</P> <PRE><CODE>TIME_PREFIX = \| TIME_FORMAT = %Y%m%d|%H%M%S </CODE></PRE> <P>both not working.</P> <P>Can anyone help me out here please.</P> Wed, 14 Aug 2013 01:01:28 GMT saad_siddiqi 2013-08-14T01:01:28Z https://community.splunk.com/t5/Getting-Data-In/Time-format-having-pipe-quot-quot/m-p/33841#M6081 <P>Hi There,</P> <P>I am having trouble recognizing time format of %Y%m%d|%H%M%S (e.g. |20130813|235858 )</P> <P>I have tried using the following settings in props.conf</P> <PRE><CODE>TIME_PREFIX = \| TIME_FORMAT = %Y%m%d\|%H%M%S </CODE></PRE> <P>and</P> <PRE><CODE>TIME_PREFIX = \| TIME_FORMAT = %Y%m%d|%H%M%S </CODE></PRE> <P>both not working.</P> <P>Can anyone help me out here please.</P> Wed, 14 Aug 2013 01:01:28 GMT https://community.splunk.com/t5/Getting-Data-In/Time-format-having-pipe-quot-quot/m-p/33841#M6081 saad_siddiqi 2013-08-14T01:01:28Z https://community.splunk.com/t5/Getting-Data-In/Time-format-having-pipe-quot-quot/m-p/33842#M6082 <P>Does the log starts with the time field? Could you paste a little more of the log?</P> Wed, 14 Aug 2013 05:59:14 GMT https://community.splunk.com/t5/Getting-Data-In/Time-format-having-pipe-quot-quot/m-p/33842#M6082 linu1988 2013-08-14T05:59:14Z https://community.splunk.com/t5/Getting-Data-In/Time-format-having-pipe-quot-quot/m-p/33843#M6083 <P>are there any other pipes before the one preceding the timestamp? Please post a few sample events.</P> Wed, 14 Aug 2013 07:01:32 GMT https://community.splunk.com/t5/Getting-Data-In/Time-format-having-pipe-quot-quot/m-p/33843#M6083 kristian_kolb 2013-08-14T07:01:32Z https://community.splunk.com/t5/Getting-Data-In/Time-format-having-pipe-quot-quot/m-p/33844#M6084 <P>Thank you for looking into this</P> <P>Below are some events<BR /> |CALLCONTROL|VMSIVR2|107|20130814|130224|130230|I<BR /> |CALLCONTROL|VMSIVR2|183|20130814|130224|130230|I<BR /> |CALLCONTROL|VMSIVR2|99|20130814|130124|130230|I<BR /> |PROVI|APS2|20130814|130240|<BR /> |PROVI|APS2|20130814|130253| <BR /> |SMSC|VMSIVR2||20130814|125501|<BR /> |SMSC|VMSIVR2||20130814|125511<BR /> |20130814|125959|202|12342|<BR /> |20130814|134950|203|12451|</P> <P>Please note that the timestamp is moving here and there since this log is getting combined from various sources.</P> Wed, 14 Aug 2013 09:33:06 GMT https://community.splunk.com/t5/Getting-Data-In/Time-format-having-pipe-quot-quot/m-p/33844#M6084 saad_siddiqi 2013-08-14T09:33:06Z https://community.splunk.com/t5/Getting-Data-In/Time-format-having-pipe-quot-quot/m-p/33845#M6085 <P>The docs on TIME_PREFIX can give some explanation;</P> <P><CODE>TIME_PREFIX = &lt;regular expression&gt;<BR /> * If set, splunk scans the event text for a match for this regex in event text before attempting <BR /> to extract a timestamp.<BR /> * The timestamping algorithm only looks for a timestamp</CODE> <STRONG>in the text following the end of the <BR /> first regex match</STRONG><CODE>.<BR /> * For example, if TIME_PREFIX is set to "abc123", only text following the first occurrence of the <BR /> text abc123 will be used for timestamp extraction</CODE>.</P> <P>Perhaps something like this could work; </P> <PRE><CODE>TIME_PREFIX = \|(?=\d{8}) </CODE></PRE> <P>Haven't tried it in Splunk, but it works in the excellent online regex tester found at </P> <P><A href="http://gskinner.com/RegExr/">http://gskinner.com/RegExr/</A></P> Wed, 14 Aug 2013 11:40:30 GMT https://community.splunk.com/t5/Getting-Data-In/Time-format-having-pipe-quot-quot/m-p/33845#M6085 kristian_kolb 2013-08-14T11:40:30Z https://community.splunk.com/t5/Getting-Data-In/Time-format-having-pipe-quot-quot/m-p/33846#M6086 <P>Yes working very well.</P> <P><CODE>NO_BINARY_CHECK=1<BR /> SHOULD_LINEMERGE=false<BR /> TIME_FORMAT=%Y%m%d|%H%M%S<BR /> TIME_PREFIX=\|(?=\d{8})</CODE></P> Wed, 14 Aug 2013 14:08:49 GMT https://community.splunk.com/t5/Getting-Data-In/Time-format-having-pipe-quot-quot/m-p/33846#M6086 linu1988 2013-08-14T14:08:49Z