https://community.splunk.com/t5/Getting-Data-In/vmware-esxlog-and-datetime-parsing/m-p/501625#M85478 <PRE><CODE>[ esx ] CHARSET=UTF-8 SHOULD_LINEMERGE=false disabled=false TIME_FORMAT=%FT%T.%3QZ TIME_PREFIX=\w{4,}\s LINE_BREAKER=([\r\n]+) </CODE></PRE> <P><CODE>TIME_PREFIX</CODE> is <CODE>hostname</CODE> ,your real hostname is with [^A-z0-9_]+, change REGEX.</P> <P><span class="lia-inline-image-display-wrapper"><img src="https://community.splunk.com/skins/images/AB5A2AECCF16BFE0405068565746F78A/responsive_peak/images/image_not_found.png" /></span></P> Sat, 28 Mar 2020 05:39:40 GMT to4kawa 2020-03-28T05:39:40Z https://community.splunk.com/t5/Getting-Data-In/vmware-esxlog-and-datetime-parsing/m-p/501624#M85477 <P>Hi,</P> <P>I have trouble to parse the timestamp of ESX-logs.</P> <P>The esx-syslog:<BR /> Mar 18 21:15:02 hostname 2020-03-18T20:15:02.109Z hostname hostd-probe: info hostd-probe[FFA22350]<BR /> and antoher log:<BR /> Mar 18 21:15:02 hostname 2020-03-18T20:15:02Z hostname hostd-probe: info hostd-probe[FFA22350]</P> <P>Because of some special multiline log I cut with SEDCMD the trailing splunk date "Mar 18 21:15:02". But this is done at the end of the parsing phase during indexing. So splunk tries first to read the date from the whole log. There are two formats, I like to have the date with milliseconds. </P> <P>Problems: the timezone is not recognized! I have an offset from 1 or 2 hours. And the milliseconds are not extracted.</P> <P>I tried:<BR /> - TZ = UTC<BR /> TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N<BR /> -&gt; does not work (maybe the T in the format string is not valid)<BR /> - added some lines in datetime.xml and referenced it with DATETIME_CONFIG in props.conf (checked with btool )</P> <PRE><CODE> &lt;define name="_time_without_zone" extract="hour, minute, second, subsecond"&gt; &lt;text&gt;&lt;![CDATA[(?&lt;=T)]]&gt;&lt;/text&gt; &lt;use name="_hour"/&gt; &lt;text&gt;&lt;![CDATA[:]]&gt;&lt;/text&gt; &lt;use name="_minute"/&gt; &lt;text&gt;&lt;![CDATA[:]]&gt;&lt;/text&gt; &lt;use name="_second"/&gt; &lt;text&gt;&lt;)? {0,2}]]&gt;&lt;/text&gt; &lt;/define&gt; &lt;timePatterns&gt; &lt;use name="_time_without_zone"/&gt; &lt;use name="_time"/&gt; &lt;use name="_time_without_subsec"/&gt; &lt;use name="_time_no_sub"/&gt; &lt;use name="_time_esxi_4x"/&gt; &lt;!-- Uncomment the below comments if ESX 4 exists in the environment &lt;use name="_time_esx_4x"/&gt; --&gt; &lt;/timePatterns&gt; </CODE></PRE> <P>SO how can I extract the correct date and timezone?</P> <P>Torsten</P> Wed, 30 Sep 2020 04:43:57 GMT https://community.splunk.com/t5/Getting-Data-In/vmware-esxlog-and-datetime-parsing/m-p/501624#M85477 tfechner 2020-09-30T04:43:57Z https://community.splunk.com/t5/Getting-Data-In/vmware-esxlog-and-datetime-parsing/m-p/501625#M85478 <PRE><CODE>[ esx ] CHARSET=UTF-8 SHOULD_LINEMERGE=false disabled=false TIME_FORMAT=%FT%T.%3QZ TIME_PREFIX=\w{4,}\s LINE_BREAKER=([\r\n]+) </CODE></PRE> <P><CODE>TIME_PREFIX</CODE> is <CODE>hostname</CODE> ,your real hostname is with [^A-z0-9_]+, change REGEX.</P> <P><span class="lia-inline-image-display-wrapper"><img src="https://community.splunk.com/skins/images/AB5A2AECCF16BFE0405068565746F78A/responsive_peak/images/image_not_found.png" /></span></P> Sat, 28 Mar 2020 05:39:40 GMT https://community.splunk.com/t5/Getting-Data-In/vmware-esxlog-and-datetime-parsing/m-p/501625#M85478 to4kawa 2020-03-28T05:39:40Z https://community.splunk.com/t5/Getting-Data-In/vmware-esxlog-and-datetime-parsing/m-p/501626#M85479 <P>works now - thank you.<BR /> does splunk handle %F and %T different than %H:%M....<BR /> your props seems to be very similar to mine.</P> Tue, 31 Mar 2020 09:34:19 GMT https://community.splunk.com/t5/Getting-Data-In/vmware-esxlog-and-datetime-parsing/m-p/501626#M85479 tfechner 2020-03-31T09:34:19Z