https://community.splunk.com/t5/Splunk-Search/Multiple-time-formats-in-same-data-source/m-p/199252#M57685 <P>It would probably be better if you could get the applications to write to individual log files. By giving an explicit <CODE>TIME_FORMAT</CODE> that only matches a subset of the events, the others will not parse correctly. </P> <P>Also, there seems to be no time element in some of the logs, just a date. Perhaps <CODE>DATETIME_CONFIG = current</CODE> in props.conf could work for you?</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Configuretimestamprecognition">http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Configuretimestamprecognition</A></P> <P>/K</P> Tue, 02 Sep 2014 13:49:13 GMT kristian_kolb 2014-09-02T13:49:13Z https://community.splunk.com/t5/Splunk-Search/Multiple-time-formats-in-same-data-source/m-p/199251#M57684 <P>I have a data source I am trying to ingest into Splunk. It is a txt file that is written to by multiple systems. My problem is that each system writing to the file has it's own date format. I have worked out two of the three data sources which have a two digit year The third data source has a four digit year.</P> <P>Below is what we are currently using in props.conf and a sample of the data.</P> <P>TIME_FORMAT =%m/%d/%y<BR /> TIME_PREFIX=NODE\w{2}\s+;</P> <P>INTVCICS;08/29/2014 ;23:30 ;1B90;T100 ;1 ;0 ;0 ;0 ;0.608 ;2.659 ;0.000 ;0.000 ;0.000 ;VENDORS ;XXXXX<BR /> NODEPR ;08/27/14 ;1D81;ECM_storeDocumentToCI_MF ;Extract Message-Code/Decode ;0.002 ;0.001 ;103 ;XXXXXXXX ;ComputeNode ;XXXXXXX<BR /> NODENP ;08/29/14 ;1B90;5:58 ;CM_retrieveClaimHistoryDtlCMS_MF ;SOAP Reply ;0.001 ;0.001 ;25 ;XXXXXXXX ;SOAPReplyNode ;XXXXXXX</P> <P>Thank you,<BR /> Don</P> Mon, 28 Sep 2020 17:27:36 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-time-formats-in-same-data-source/m-p/199251#M57684 DonDandrea 2020-09-28T17:27:36Z https://community.splunk.com/t5/Splunk-Search/Multiple-time-formats-in-same-data-source/m-p/199252#M57685 <P>It would probably be better if you could get the applications to write to individual log files. By giving an explicit <CODE>TIME_FORMAT</CODE> that only matches a subset of the events, the others will not parse correctly. </P> <P>Also, there seems to be no time element in some of the logs, just a date. Perhaps <CODE>DATETIME_CONFIG = current</CODE> in props.conf could work for you?</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Configuretimestamprecognition">http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Configuretimestamprecognition</A></P> <P>/K</P> Tue, 02 Sep 2014 13:49:13 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-time-formats-in-same-data-source/m-p/199252#M57685 kristian_kolb 2014-09-02T13:49:13Z https://community.splunk.com/t5/Splunk-Search/Multiple-time-formats-in-same-data-source/m-p/199253#M57686 <P>We reformatted the output data from the source so all event use a two digit year. Once that was complete I was still having a problem with some events having a time and others did not. I simply configured Splunk to index by date and ignore time. Then I created an extract in props.conf for each of the event types. Now I can use eval with striptime in my search parameters and replace the date/time stamp of the events. This now allows use of date and time ranges and timechart.</P> Thu, 18 Sep 2014 12:45:00 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-time-formats-in-same-data-source/m-p/199253#M57686 DonDandrea 2014-09-18T12:45:00Z