<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Splunk cannot parse ISO8601/RFC3339 timestamp (e.g. 2017-05-09T19:56:50.233319+00:00) in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-cannot-parse-ISO8601-RFC3339-timestamp-e-g-2017-05-09T19/m-p/370796#M67342</link>
    <description>&lt;P&gt;I am having issues getting Splunk to parse the ISO8601/RFC3339 timestamps included in my log messages.&lt;/P&gt;

&lt;P&gt;I am using the syslog data source, which I configured to parse timestamps with the following format string: &lt;STRONG&gt;%Y-%m-%dT%H:%M:%S.%6N%:z&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;This is how the props.conf file looks like (I also tried increasing the MAX_TIMESTAMP_LOOKAHEAD setting to 64 but did not help):&lt;BR /&gt;
  &lt;CODE&gt;&lt;BR /&gt;
[syslog]&lt;BR /&gt;
DATETIME_CONFIG =&lt;BR /&gt;
MAX_TIMESTAMP_LOOKAHEAD = 32&lt;BR /&gt;
NO_BINARY_CHECK = true&lt;BR /&gt;
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z&lt;BR /&gt;
disabled = false&lt;BR /&gt;
&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;This is how Splunk is outputing my log messages:&lt;/P&gt;

&lt;BLOCKQUOTE&gt;
&lt;P&gt;2017-05-09T19:56:50.233319+00:00 myhost myapp1[13861]: 19:56:50.233 [info]  This is just a dummy log message&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;

&lt;P&gt;As you can see, Splunk is automatically adding yet another timestamp to my log message (i.e. 19:56:50.233) just as if it was not able to parse the original timestamp.&lt;/P&gt;</description>
    <pubDate>Tue, 29 Sep 2020 14:00:09 GMT</pubDate>
    <dc:creator>efcasado</dc:creator>
    <dc:date>2020-09-29T14:00:09Z</dc:date>
    <item>
      <title>Splunk cannot parse ISO8601/RFC3339 timestamp (e.g. 2017-05-09T19:56:50.233319+00:00)</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-cannot-parse-ISO8601-RFC3339-timestamp-e-g-2017-05-09T19/m-p/370796#M67342</link>
      <description>&lt;P&gt;I am having issues getting Splunk to parse the ISO8601/RFC3339 timestamps included in my log messages.&lt;/P&gt;

&lt;P&gt;I am using the syslog data source, which I configured to parse timestamps with the following format string: &lt;STRONG&gt;%Y-%m-%dT%H:%M:%S.%6N%:z&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;This is how the props.conf file looks like (I also tried increasing the MAX_TIMESTAMP_LOOKAHEAD setting to 64 but did not help):&lt;BR /&gt;
  &lt;CODE&gt;&lt;BR /&gt;
[syslog]&lt;BR /&gt;
DATETIME_CONFIG =&lt;BR /&gt;
MAX_TIMESTAMP_LOOKAHEAD = 32&lt;BR /&gt;
NO_BINARY_CHECK = true&lt;BR /&gt;
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z&lt;BR /&gt;
disabled = false&lt;BR /&gt;
&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;This is how Splunk is outputing my log messages:&lt;/P&gt;

&lt;BLOCKQUOTE&gt;
&lt;P&gt;2017-05-09T19:56:50.233319+00:00 myhost myapp1[13861]: 19:56:50.233 [info]  This is just a dummy log message&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;

&lt;P&gt;As you can see, Splunk is automatically adding yet another timestamp to my log message (i.e. 19:56:50.233) just as if it was not able to parse the original timestamp.&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 14:00:09 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-cannot-parse-ISO8601-RFC3339-timestamp-e-g-2017-05-09T19/m-p/370796#M67342</guid>
      <dc:creator>efcasado</dc:creator>
      <dc:date>2020-09-29T14:00:09Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk cannot parse ISO8601/RFC3339 timestamp (e.g. 2017-05-09T19:56:50.233319+00:00)</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-cannot-parse-ISO8601-RFC3339-timestamp-e-g-2017-05-09T19/m-p/370797#M67343</link>
      <description>&lt;P&gt;can you please add the raw data here too. Splunk won't add new time as per above config, but I feel it is added by your syslog server or upstream system&lt;/P&gt;</description>
      <pubDate>Tue, 09 May 2017 20:58:32 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-cannot-parse-ISO8601-RFC3339-timestamp-e-g-2017-05-09T19/m-p/370797#M67343</guid>
      <dc:creator>koshyk</dc:creator>
      <dc:date>2017-05-09T20:58:32Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk cannot parse ISO8601/RFC3339 timestamp (e.g. 2017-05-09T19:56:50.233319+00:00)</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-cannot-parse-ISO8601-RFC3339-timestamp-e-g-2017-05-09T19/m-p/370798#M67344</link>
      <description>&lt;P&gt;Hi efcasado,&lt;BR /&gt;
having an example of your logs I could test it, but It seems to me that the problem may be on the timezone&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;%Y-%m-%dT%H:%M:%S.%6N%z
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Bye.&lt;BR /&gt;
Giuseppe&lt;/P&gt;</description>
      <pubDate>Wed, 10 May 2017 14:25:53 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-cannot-parse-ISO8601-RFC3339-timestamp-e-g-2017-05-09T19/m-p/370798#M67344</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2017-05-10T14:25:53Z</dc:date>
    </item>
  </channel>
</rss>

