topic Re: Date Parsing in Splunk Search

Date Parsing

dmrhodes101 — Wed, 04 Jul 2012 15:46:18 GMT

Hi all

I have the following in a log file that we're passing to Splunk:

Log for 03/07/2012 06:47:43

The date is being parsed as 07/03/2012 so we added:

TIME_PREFIX = "Log for "

TIME_FORMAT = %d/%m/%Y %H:%M:%S

to PROPS.CONF

I'm still getting 07/03 and also a "Could not use strptime to parse timestamp".

Can anyone assist?
Thanks

Re: Date Parsing

Ayn — Wed, 04 Jul 2012 16:14:53 GMT

Your TIME_PREFIX is wrong. It shouldn't include quotes, as Splunk will interpret that as that it should literally match the whole string including the quotes.

Re: Date Parsing

dmrhodes101 — Thu, 05 Jul 2012 08:43:48 GMT

Thanks Ayn

I've changed that, but there's no difference I'm afraid.

The date is highlighted, but it insists on converting to a US date.

Re: Date Parsing

Ayn — Thu, 05 Jul 2012 08:46:30 GMT

Are you looking at newly indexed data? Data that is already in the index will not be affected by these changes. Also I'm assuming that you're sure that this relates to how Splunk parses the data, not how it outputs it in the web UI...

Re: Date Parsing

dmrhodes101 — Fri, 06 Jul 2012 08:42:52 GMT

Curse my stupidity. I had forgotten to restart Splunk when I made the change above.

Re: Date Parsing

dmrhodes101 — Mon, 09 Jul 2012 11:31:56 GMT

Now trying to create a new data input and getting the same error again:

From PROPS.CONF

[EDICOMMS]
NO_BINARY_CHECK = 1
pulldown_type = 1
TIME_PREFIX = Log for 
TIME_FORMAT = %d/%m/%Y %H:%M:%S
SHOULD_LINEMERGE = True
BREAK_ONLY_AFTER =  <NEWRECORD>

Output:

116     03/07/2012 04:20:06.000   Log for 03/07/2012 04:20:06
                                  "CUSTOMER:*******" <NEWRECORD> 

117     03/07/2012 04:20:18.000   Log for 03/07/2012 04:20:18
                                  Unknown issue. Type DIR Error 20142 550 No matching files pouet
                                  "CUSTOMER:*******" <NEWRECORD> 

118     03/07/2012 04:20:21.000   Log for 03/07/2012 04:20:21
                                  "CUSTOMER:********" <NEWRECORD> 

119     03/07/2012 04:20:25.000   Log for 03/07/2012 04:20:25
                                  "CUSTOMER:********" <NEWRECORD> 

120     03/07/2012 04:22:39.000   Log for 03/07/2012 04:22:39
                                  "CUSTOMER:*****" <NEWRECORD>

Each event has the "Could not use strptime to parse timestamp" warning, but seems to have converted the timestamp correctly.

Anyone know what I' doing wrong?

Re: Date Parsing

elaine0102 — Fri, 05 Oct 2012 05:46:42 GMT

Hi, have you solve this?
I am having the same issue as you and not sure what to do.

Re: Date Parsing

dmrhodes101 — Mon, 28 Sep 2020 12:34:17 GMT

Hi,

I changed the PROPS.CONF file to read:

[EDICOMMS]

NO_BINARY_CHECK = 1

pulldown_type = 1

TIME_PREFIX = Log for

TIME_FORMAT = %d/%m/%Y %H:%M:%S

SHOULD_LINEMERGE = TRUE

BREAK_ONLY_BEFORE = Log for

And that fixed my problem.

Dave

Re: Date Parsing

elaine0102 — Fri, 05 Oct 2012 09:23:01 GMT

Glad that you managed to solve it.
However, it could not solve mine.
Thank you for replying 🙂