https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/520308#M171738 <P>Gregg, you made my day! Thx. I didn't know %r, %n, %s. Couldn't find anything about these in <A href="https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Commontimeformatvariables" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Commontimeformatvariables</A>.</P><P>Again, great knowledge!</P> Fri, 18 Sep 2020 11:48:32 GMT tomasmoser 2020-09-18T11:48:32Z https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422732#M171728 <P>I have a log file with events that start like - <CODE>2019-01-09 11:19:37 WARN</CODE>.</P> <P>We ended up using <CODE>TIME_FORMAT=%Y-%m-%d%t%H:%M:%S</CODE> and I don't like the <CODE>%t</CODE> (tab) part. </P> <P>Is there a better way to handle the white space in <CODE>TIME_FORMAT</CODE>?</P> Tue, 23 Apr 2019 17:53:03 GMT https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422732#M171728 ddrillic 2019-04-23T17:53:03Z https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422733#M171729 <P>The SE said -</P> <P>You just leave a blank space; </P> <PRE><CODE>TIME_FORMAT=%Y-%m-%d %H:%M:%S </CODE></PRE> Tue, 23 Apr 2019 19:42:05 GMT https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422733#M171729 ddrillic 2019-04-23T19:42:05Z https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422734#M171730 <P>Just a space <CODE>" "</CODE><BR /><BR /> nothing more nothing else</P> <P>sometimes you will see capital <CODE>T</CODE><BR /> check out this example and see</P> <PRE><CODE>| makeresults count=1 | eval time_with_space1 = "2019-01-09 11:19:37" | eval time_with_space2 = "2019 01 09 11:19:37" | eval time_with_space3 = "2019-01-09T11:19:37" | eval check_that_time_format_works1 = strftime(strptime(time_with_space1, "%Y-%m-%d %H:%M:%S"), "%c") | eval check_that_time_format_works2 = strftime(strptime(time_with_space2, "%Y %m %d %H:%M:%S"), "%c") | eval check_that_time_format_works3 = strftime(strptime(time_with_space3, "%Y-%m-%dT%H:%M:%S"), "%c") </CODE></PRE> <P>hope it helps</P> Tue, 23 Apr 2019 23:35:44 GMT https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422734#M171730 adonio 2019-04-23T23:35:44Z https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422735#M171731 <P>Interesting, I added a couple of spaces here between and the date and the time - </P> <PRE><CODE> | eval time_with_space1 = "2019-01-09 11:19:37" </CODE></PRE> <P>And it still works!!!</P> <P>So, the space within <CODE>"%Y-%m-%d %H:%M:%S"</CODE> is stretchable, right?</P> <P>My conclusion is that any combination of spaces and tabs in the data should be condensed to one space within <CODE>TIME_FORMAT</CODE>. I hope it's correct.</P> Tue, 23 Apr 2019 23:41:00 GMT https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422735#M171731 ddrillic 2019-04-23T23:41:00Z https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422736#M171732 <P>You can use combinations of <CODE>%r</CODE>, <CODE>%n</CODE>, <CODE>%t</CODE> and a regular space character. The numbers are not important, but the order is.</P> Wed, 24 Apr 2019 00:50:33 GMT https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422736#M171732 woodcock 2019-04-24T00:50:33Z https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422737#M171733 <P>Thank you @woodcock !!!</P> Wed, 24 Apr 2019 00:56:28 GMT https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422737#M171733 ddrillic 2019-04-24T00:56:28Z https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422738#M171734 <P>Thank you @adonio !!!</P> Wed, 24 Apr 2019 00:56:59 GMT https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422738#M171734 ddrillic 2019-04-24T00:56:59Z https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422739#M171735 <P>@woodcock, will a tab in the data be captured by a space in <CODE>TIME_FORMAT=%Y-%m-%d %H:%M:%S</CODE>?</P> Wed, 24 Apr 2019 01:31:28 GMT https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422739#M171735 ddrillic 2019-04-24T01:31:28Z https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422740#M171736 <P>No, you need to use <CODE>%t</CODE>.</P> Wed, 24 Apr 2019 01:48:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422740#M171736 woodcock 2019-04-24T01:48:56Z https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422741#M171737 <P>Wow - a bit limiting ; -)</P> Wed, 24 Apr 2019 13:37:06 GMT https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/422741#M171737 ddrillic 2019-04-24T13:37:06Z https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/520308#M171738 <P>Gregg, you made my day! Thx. I didn't know %r, %n, %s. Couldn't find anything about these in <A href="https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Commontimeformatvariables" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Commontimeformatvariables</A>.</P><P>Again, great knowledge!</P> Fri, 18 Sep 2020 11:48:32 GMT https://community.splunk.com/t5/Splunk-Search/How-do-we-handle-white-space-in-TIME-FORMAT/m-p/520308#M171738 tomasmoser 2020-09-18T11:48:32Z