https://community.splunk.com/t5/Splunk-Search/TIME-PREFIX/m-p/153106#M185601 <P>Well <CODE>TIME_PREFIX</CODE> is used to ensure that you find the start of the timestamp in the events, whereas <CODE>TIME_FORMAT</CODE> will allow you to specify how the timstamp is formatted. </P> <P>In your case, you seem to be having three different time formats, but the first seems to be of less interest (service started?). The second two differ very little, and if you can make do without the millisecond precision, you could probably have something like this config (in props.conf);</P> <PRE><CODE>[your_sourcetype] MAX_TIMESTAMP_LOOKAHEAD = 50 TIME_FORMAT = %Y-%m-%d %H:%M:%S </CODE></PRE> <P>Unfortunately, TIME_FORMAT does not take a regex as parameter value, otherwise it would have been easy to handle the dot/comma difference.</P> <HR /> <P>UPDATE:</P> <P>Perhaps you could also add the <CODE>TIME_PREFIX</CODE> as such;</P> <PRE><CODE>TIME_PREFIX = (:\s|&lt;|^) </CODE></PRE> <P>The <CODE>TIME_PREFIX</CODE> will match the first instance it finds of the pattern, and will start looking for a timestamp immediately after it (which must be formatted according to the <CODE>TIME_FORMAT</CODE>)</P> <P>Not sure it will have any success on the first message. </P> <P>/K</P> Mon, 17 Feb 2014 14:49:51 GMT kristian_kolb 2014-02-17T14:49:51Z https://community.splunk.com/t5/Splunk-Search/TIME-PREFIX/m-p/153105#M185600 <P>Hi<BR /> I have a log-file with diffrent time formats.<BR /> Is it possible to extract this diffrent timestamps with TIME_PREFIX in propts.conf?<BR /> Loglines:</P> <PRE><CODE>&lt;Feb 17, 2014 8:32:42 AM CET&gt; &lt;Notice&gt; &lt;WebLogicServer&gt; &lt;BEA-000365&gt; &lt;Server state changed to STARTING&gt; [EL Finest]: 2014-02-17 08:32:45.961--ServerSession(998916174)--Thread(Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads])--property=eclipselink.logging.level.sql; value=FINEST; translated value=FINEST [EL Finer]: 2014-02-17 08:32:45.973--ServerSession(998916174)--Thread(Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads])--Searching for default mapping file in file:/opt/user_projects/domains/tdapp12/servers/tsapp12maportal01/tmp/_WL_user/clientportal/a7daku/APP-INF/lib/sympany.clientportal.jpa.jar [EL Config]: 2014-02-17 08:32:45.982--ServerSession(998916174)--Thread(Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads])--The access type for the persistent class [class ch.sympany.clientportal.model.UserPreferences] is set to [FIELD]. 2014-02-17 08:32:54,248 [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG ch.sympany.clientportal.servlet.StartupServletContextListener - StartupServletContextListener initialised. </CODE></PRE> Mon, 17 Feb 2014 13:17:32 GMT https://community.splunk.com/t5/Splunk-Search/TIME-PREFIX/m-p/153105#M185600 surfjose 2014-02-17T13:17:32Z https://community.splunk.com/t5/Splunk-Search/TIME-PREFIX/m-p/153106#M185601 <P>Well <CODE>TIME_PREFIX</CODE> is used to ensure that you find the start of the timestamp in the events, whereas <CODE>TIME_FORMAT</CODE> will allow you to specify how the timstamp is formatted. </P> <P>In your case, you seem to be having three different time formats, but the first seems to be of less interest (service started?). The second two differ very little, and if you can make do without the millisecond precision, you could probably have something like this config (in props.conf);</P> <PRE><CODE>[your_sourcetype] MAX_TIMESTAMP_LOOKAHEAD = 50 TIME_FORMAT = %Y-%m-%d %H:%M:%S </CODE></PRE> <P>Unfortunately, TIME_FORMAT does not take a regex as parameter value, otherwise it would have been easy to handle the dot/comma difference.</P> <HR /> <P>UPDATE:</P> <P>Perhaps you could also add the <CODE>TIME_PREFIX</CODE> as such;</P> <PRE><CODE>TIME_PREFIX = (:\s|&lt;|^) </CODE></PRE> <P>The <CODE>TIME_PREFIX</CODE> will match the first instance it finds of the pattern, and will start looking for a timestamp immediately after it (which must be formatted according to the <CODE>TIME_FORMAT</CODE>)</P> <P>Not sure it will have any success on the first message. </P> <P>/K</P> Mon, 17 Feb 2014 14:49:51 GMT https://community.splunk.com/t5/Splunk-Search/TIME-PREFIX/m-p/153106#M185601 kristian_kolb 2014-02-17T14:49:51Z https://community.splunk.com/t5/Splunk-Search/TIME-PREFIX/m-p/153107#M185602 <P>It does not work.<BR /> It taks findes only the timestamp from this log entry:<BR /> 2014-02-17 08:32:54,248 [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG ch.sympany.clientportal.servlet.StartupServletContextListener - StartupServletContextListener initialised.</P> <P>The best filter i have create is this one:</P> <PRE><CODE>[my_sourcetype] MAX_TIMESTAMP_LOOKAHEAD = 50 TIME_PREFIX = \[EL Finest]:|\[EL Finer]:|\[EL Config]: |\&lt; </CODE></PRE> <P>But the result is not 100%.</P> <P>Any ideas in this way?</P> Mon, 17 Feb 2014 15:18:34 GMT https://community.splunk.com/t5/Splunk-Search/TIME-PREFIX/m-p/153107#M185602 surfjose 2014-02-17T15:18:34Z