topic Re: Time is not getting extracted properly ? in Splunk Search

Time is not getting extracted properly ?

lohitkidu — Tue, 29 Sep 2020 08:59:24 GMT

Hi All,

I am not able to extract time format from events like below

07/03/2016 Mon Mar 7 10:42:25 2016 Info: End Logfile
10:42:31.000

As it can be seen original time is 10.42.25 whereas splunk is parsing time as 10:42:31.000 . It is off by 6 seconds and it varies among other events how much it is getting off by. Below is my props.conf for this sourcetype:
[abc]
TIME_PREFIX=^
TIME_FORMAT=%c

But it is not working . What am i doing wrong ?

Re: Time is not getting extracted properly ?

alemarzu — Mon, 07 Mar 2016 18:13:05 GMT

Hi there

Thats weird mate, what Splunk version are you running ? Because timestamp recognition works just fine for me on 6.2.3 & 6.3.0

Re: Time is not getting extracted properly ?

Richfez — Tue, 08 Mar 2016 03:09:16 GMT

"07/03/2016 Mon Mar 7 10:42:25"

Could be matched by

[abc]
TIME_PREFIX=^
TIME_FORMAT=%d/%m/%Y %a %b %H:%M:%S

Derived from careful study of the date and time format variables. I'm not 100% positive %c matches that. (I generally try to not use 'magic' variables in those, because magic is a bit fiddly and has a way of biting the hand that's feeding it.)

Re: Time is not getting extracted properly ?

lohitkidu — Tue, 08 Mar 2016 04:22:21 GMT

Correct rich7177. Seems like %c is not working here. I do not know why

I have matched it with
TIME_FORMAT=%a %b %d %H:%M:%S %Y