All Apps and Add-ons

Date Formatting

nikhilmehra79
Path Finder

I have an event which has date in log as - 11-Mar-14
System is reading it as 3/14/11

Because of which system is saying that event is logged in 2011, how can i correct it?

0 Karma

yannK
Splunk Employee
Splunk Employee

This has to be fixed at index time. by defining a sourcetype with a timeformat extraction in props.conf on all your indexers (and heavy forwarders)

see http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition,
you probably need something starting with the date format in the correct order

`[mysourcetype]
TIME_FORMAT=%d %b %y %H:%M:%S.%3N %Z
# expects : day_1or2digits month_3letters year_2digits : 21 Feb 15 6:02:05.000 PM

`
of course you also need to add the time format, not just the date.

0 Karma

nikhilmehra79
Path Finder

ok i tried (no luck) - i created a new sourcetype - Trend

At Universal Forwarder:

My source csv file has events in format:
"10-Mar-14 7:18:54 PM"

My input.conf
[monitor://D:\Latency.csv]
sourcetype = Trend

I edited learned props.conf (since not sure where to create new props.conf - C:\Program Files\SplunkForwarder\etc\apps\learned\local)

[Trend]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true
TIME_FORMAT=%d %b %y %H:%M:%S.%3N %Z

At indexer - created new props.conf in D:\Splunk\etc\apps\Dash\local. What am i missing?

0 Karma

nikhilmehra79
Path Finder

Actually when i this first started with this soutrce type i was not able to get data in indexer and i need to import a copy to indexer and build a learned file and then copy the learned behaviour to Universal Forwarder.

Now i leanred CSV-2 by doing this....but that is used by another file which is almost same as this input other than it does not have Date stamp in it.

Hence i thought to build CSV-3 which will be different from CSV-2 in leanred dir and add the Forced timestamp - if this is not right way then i would like to know where to build CSV-3 on forwarder and indexer

0 Karma

yannK
Splunk Employee
Splunk Employee

if you enforce the TIME_FORMAT, you need to add the hour time format too.

TIME_FORMAT=%d %b %y %H:%M:%S.%3N %Z
# expects : day_1or2digits month_3letters year_2digits 21 Feb 15 6:02:05.000 PM

Please
- enforce a sourcetype for your inputs, csv-3 looks like an automatic sourcetype that will increment every time something changes.
- create your own version of the sourcetype to another app (the learn app is automatic), this will be easier to maintain and deploy.

0 Karma

nikhilmehra79
Path Finder

Time seems to be coming in right format :
6:02:05.000 PM (which seems to be CT time right now) - i am ok with this. Since csv-3 is only used by this specific data source, i have to add this to Universal forwarder in learned\local\props.conf - do you think i need to adjust this in Universal Forwarder too..?

0 Karma

nikhilmehra79
Path Finder

SO my current Source Type at D:\Splunk\etc\apps\learned\local\props.conf is:

[csv-3]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true

are you suggesting:
[csv-3]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-1
SHOULD_LINEMERGE = False
pulldown_type = true
TIME_FORMAT=%d %b %y

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...