topic Re: How to extract date and time in Splunk? in Splunk Search

How to extract date and time in Splunk?

DonDandrea — Thu, 12 Jun 2014 19:36:51 GMT

I am having problems getting splunk to recognize date/time. The txt file I am extracting data from has multiple sources. Each source can have a different date/time format. Right now we are using two different types of events but will add new ones in the future. One of the two formats only includes a date. The other format has a date and a time but are not grouped together. See example below.

ODEPR  ;04/28/14 ;1D81;CHM_retrieveIntmdDtlMDMPrntInqry ;ValidateResponse ;0.000 ;0.001 ;10704 ;PRO1BAT1 ;ValidateNode ;MQS2BRK
NODENP  ;06/12/14 ;1B90;0:22 ;PYM_entityCheckPatriotAct43A_MF ;FilterEndOfBatch ;0.000 ;0.000 ;9 ;TST1TRN3 ;FilterNode ;MQS9BRK

Any help you can provide would be greatly appreciated.

Thank you,
Don

Re: How to extract date and time in Splunk?

lguinn2 — Thu, 12 Jun 2014 21:06:53 GMT

As long as you keep the different sources in different input files or streams, you should be fine. But I think you will make yourself nuts if you mix more than one timestamp format in the same input.

For each input where you want to specify the time format, you will need an entry in props.conf

[source::/path/to/your/source/file.ext]
TIME_FORMAT=%m/%d/%y
MAX_TIMESTAMP_LOOKAHEAD = 50

This props.conf belongs on the indexer(s) that parse the data, not on the forwarders.

The MAX_TIMESTAMP_LOOKAHEAD is not required, but it is a good idea. I have set it so that it only examines the first 50 characters of the event for the timestamp.

More information here: How Splunk extracts timestamps

Re: How to extract date and time in Splunk?

DonDandrea — Fri, 13 Jun 2014 19:19:32 GMT

I tried this and it worked for the entries that have a time. The entried that do not have time are indexed with the date the file was indexed. To be quite honest I don't care about the time. The entries are once a day. The date is the important piece.