All Apps and Add-ons

Date Formatting

nikhilmehra79
Path Finder

I have an event which has date in log as - 11-Mar-14
System is reading it as 3/14/11

Because of which system is saying that event is logged in 2011, how can i correct it?

0 Karma

yannK
Splunk Employee
Splunk Employee

This has to be fixed at index time. by defining a sourcetype with a timeformat extraction in props.conf on all your indexers (and heavy forwarders)

see http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition,
you probably need something starting with the date format in the correct order

`[mysourcetype]
TIME_FORMAT=%d %b %y %H:%M:%S.%3N %Z
# expects : day_1or2digits month_3letters year_2digits : 21 Feb 15 6:02:05.000 PM

`
of course you also need to add the time format, not just the date.

0 Karma

nikhilmehra79
Path Finder

ok i tried (no luck) - i created a new sourcetype - Trend

At Universal Forwarder:

My source csv file has events in format:
"10-Mar-14 7:18:54 PM"

My input.conf
[monitor://D:\Latency.csv]
sourcetype = Trend

I edited learned props.conf (since not sure where to create new props.conf - C:\Program Files\SplunkForwarder\etc\apps\learned\local)

[Trend]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true
TIME_FORMAT=%d %b %y %H:%M:%S.%3N %Z

At indexer - created new props.conf in D:\Splunk\etc\apps\Dash\local. What am i missing?

0 Karma

nikhilmehra79
Path Finder

Actually when i this first started with this soutrce type i was not able to get data in indexer and i need to import a copy to indexer and build a learned file and then copy the learned behaviour to Universal Forwarder.

Now i leanred CSV-2 by doing this....but that is used by another file which is almost same as this input other than it does not have Date stamp in it.

Hence i thought to build CSV-3 which will be different from CSV-2 in leanred dir and add the Forced timestamp - if this is not right way then i would like to know where to build CSV-3 on forwarder and indexer

0 Karma

yannK
Splunk Employee
Splunk Employee

if you enforce the TIME_FORMAT, you need to add the hour time format too.

TIME_FORMAT=%d %b %y %H:%M:%S.%3N %Z
# expects : day_1or2digits month_3letters year_2digits 21 Feb 15 6:02:05.000 PM

Please
- enforce a sourcetype for your inputs, csv-3 looks like an automatic sourcetype that will increment every time something changes.
- create your own version of the sourcetype to another app (the learn app is automatic), this will be easier to maintain and deploy.

0 Karma

nikhilmehra79
Path Finder

Time seems to be coming in right format :
6:02:05.000 PM (which seems to be CT time right now) - i am ok with this. Since csv-3 is only used by this specific data source, i have to add this to Universal forwarder in learned\local\props.conf - do you think i need to adjust this in Universal Forwarder too..?

0 Karma

nikhilmehra79
Path Finder

SO my current Source Type at D:\Splunk\etc\apps\learned\local\props.conf is:

[csv-3]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true

are you suggesting:
[csv-3]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true
TIME_FORMAT=%d %b %y

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...