https://community.splunk.com/t5/Getting-Data-In/Need-help-on-TIME-FORMAT-and-TIME-PREFIX/m-p/428090#M74989 <P>hi @sathiyasun, </P> <P>Did the answer below solve your question? If yes, please click “Accept” directly below the answer to resolve the post. If not, please comment with more information if you are still having issues. Thanks!!</P> Tue, 28 Aug 2018 21:47:27 GMT mstjohn_splunk 2018-08-28T21:47:27Z https://community.splunk.com/t5/Getting-Data-In/Need-help-on-TIME-FORMAT-and-TIME-PREFIX/m-p/428086#M74985 <P>I have a props.comf that is not working for TIME_FORMAT and TIME_PREFIX for the below log structure. Trying to break the LINE_BREAK from the first line. Please help.</P> <P>Error when i try to upload the log: ( "Could not use strptime to parse timestamp from Token TOKEN = DD215569A74FB06F5BC0C966CF60AD86:2018-08-27 14:28:06,382 , Failed to parse timestamp defaulting to file modtime)</P> <P>Log:-</P> <P>INFO:SESSION TOKEN = DD215569A74FB06F5BC0C966CF60AD86:2018-08-27 14:28:06,382<BR /> INFO:REQUEST:2018-08-27 14:28:15,000<BR /> INFO:</P> <P>Props.conf<BR /> [ wsa:splunkalert:log ]<BR /> CHARSET=UTF-8<BR /> LINE_BREAKER=([\r\n]+)(\w+:\w+\s\w+\s=\s\w+:\d+-\d+-\d+\s\d+:\d+:\d+\,\d+)<BR /> MAX_TIMESTAMP_LOOKAHEAD=30<BR /> NO_BINARY_CHECK=1<BR /> SHOULD_LINEMERGE=false<BR /> TIME_FORMAT= %H-%m-%d %H:%M:%S,3N<BR /> TIME_PREFIX=\s<BR /> disabled=false<BR /> pulldown_type=true</P> Tue, 29 Sep 2020 21:02:27 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-on-TIME-FORMAT-and-TIME-PREFIX/m-p/428086#M74985 sathiyasun 2020-09-29T21:02:27Z https://community.splunk.com/t5/Getting-Data-In/Need-help-on-TIME-FORMAT-and-TIME-PREFIX/m-p/428087#M74986 <P>Hi @sathiyasun,</P> <P>What is the timestamp in your sample data <CODE>:2018-08-27 14:28:06,382</CODE> OR <CODE>2018-08-27 14:28:15,000</CODE>? </P> Tue, 28 Aug 2018 12:23:55 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-on-TIME-FORMAT-and-TIME-PREFIX/m-p/428087#M74986 harsmarvania57 2018-08-28T12:23:55Z https://community.splunk.com/t5/Getting-Data-In/Need-help-on-TIME-FORMAT-and-TIME-PREFIX/m-p/428088#M74987 <P>I think you need <CODE>TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N</CODE>.<BR /> The <CODE>TIME_PREFIX</CODE> setting should not be "\s" as none of the timestamps in your sample event are preceded by a space. Perhaps <CODE>TIME_PREFIX = :</CODE> will work.</P> Tue, 28 Aug 2018 12:33:27 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-on-TIME-FORMAT-and-TIME-PREFIX/m-p/428088#M74987 richgalloway 2018-08-28T12:33:27Z https://community.splunk.com/t5/Getting-Data-In/Need-help-on-TIME-FORMAT-and-TIME-PREFIX/m-p/428089#M74988 <P>This is the date &amp;timestamp<BR /> DD215569A74FB06F5BC0C966CF60AD86:2018-08-27 14:28:06,382</P> Tue, 28 Aug 2018 14:40:08 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-on-TIME-FORMAT-and-TIME-PREFIX/m-p/428089#M74988 sathiyasun 2018-08-28T14:40:08Z https://community.splunk.com/t5/Getting-Data-In/Need-help-on-TIME-FORMAT-and-TIME-PREFIX/m-p/428090#M74989 <P>hi @sathiyasun, </P> <P>Did the answer below solve your question? If yes, please click “Accept” directly below the answer to resolve the post. If not, please comment with more information if you are still having issues. Thanks!!</P> Tue, 28 Aug 2018 21:47:27 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-on-TIME-FORMAT-and-TIME-PREFIX/m-p/428090#M74989 mstjohn_splunk 2018-08-28T21:47:27Z https://community.splunk.com/t5/Getting-Data-In/Need-help-on-TIME-FORMAT-and-TIME-PREFIX/m-p/428091#M74990 <P>I am assuming that you have multi line events in that case please try with <CODE>TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N</CODE> , <CODE>TIME_PREFIX = ^(?s)(?:[^\:]*\:){2}</CODE> and <CODE>SHOULD_LINEMERGE = true</CODE> in props.conf on Indexer or Heavy forwarder whichever comes first from UF.</P> Thu, 30 Aug 2018 13:55:52 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-on-TIME-FORMAT-and-TIME-PREFIX/m-p/428091#M74990 harsmarvania57 2018-08-30T13:55:52Z