Archive

How do we handle white space in TIME_FORMAT?

Ultra Champion

I have a log file with events that start like - 2019-01-09 11:19:37 WARN.

We ended up using TIME_FORMAT=%Y-%m-%d%t%H:%M:%S and I don't like the %t (tab) part.

Is there a better way to handle the white space in TIME_FORMAT?

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Just a space " "

nothing more nothing else

sometimes you will see capital T
check out this example and see

| makeresults count=1
| eval time_with_space1 = "2019-01-09 11:19:37"
| eval time_with_space2 = "2019 01 09 11:19:37"
| eval time_with_space3 = "2019-01-09T11:19:37"
| eval check_that_time_format_works1 = strftime(strptime(time_with_space1, "%Y-%m-%d %H:%M:%S"), "%c")
| eval check_that_time_format_works2 = strftime(strptime(time_with_space2, "%Y %m %d %H:%M:%S"), "%c")
| eval check_that_time_format_works3 = strftime(strptime(time_with_space3, "%Y-%m-%dT%H:%M:%S"), "%c")

hope it helps

View solution in original post

Esteemed Legend

You can use combinations of %r, %n, %t and a regular space character. The numbers are not important, but the order is.

Contributor

Gregg, you made my day! Thx. I didn't know %r, %n, %s. Couldn't find anything about these in https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Commontimeformatvariables.

Again, great knowledge!

0 Karma

Ultra Champion

Thank you @woodcock !!!

0 Karma

Ultra Champion

@woodcock, will a tab in the data be captured by a space in TIME_FORMAT=%Y-%m-%d %H:%M:%S?

0 Karma

Esteemed Legend

No, you need to use %t.

0 Karma

Ultra Champion

Wow - a bit limiting ; -)

0 Karma

SplunkTrust
SplunkTrust

Just a space " "

nothing more nothing else

sometimes you will see capital T
check out this example and see

| makeresults count=1
| eval time_with_space1 = "2019-01-09 11:19:37"
| eval time_with_space2 = "2019 01 09 11:19:37"
| eval time_with_space3 = "2019-01-09T11:19:37"
| eval check_that_time_format_works1 = strftime(strptime(time_with_space1, "%Y-%m-%d %H:%M:%S"), "%c")
| eval check_that_time_format_works2 = strftime(strptime(time_with_space2, "%Y %m %d %H:%M:%S"), "%c")
| eval check_that_time_format_works3 = strftime(strptime(time_with_space3, "%Y-%m-%dT%H:%M:%S"), "%c")

hope it helps

View solution in original post

Ultra Champion

Interesting, I added a couple of spaces here between and the date and the time -

 | eval time_with_space1 = "2019-01-09    11:19:37"

And it still works!!!

So, the space within "%Y-%m-%d %H:%M:%S" is stretchable, right?

My conclusion is that any combination of spaces and tabs in the data should be condensed to one space within TIME_FORMAT. I hope it's correct.

0 Karma

Ultra Champion

Thank you @adonio !!!

0 Karma

Ultra Champion

The SE said -

You just leave a blank space;

TIME_FORMAT=%Y-%m-%d %H:%M:%S
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!