Solved: TimeStamp problem

geantvert007 · ‎01-15-2016

Hi,

I have a timestamp problem on Splunk.
I am working with log file who looks like :

numberline;date;ipsrc;ipdst
102;13Jan2015;10.10.10.10;12.12.12.12

On splunk the date is 15 january but on the raw date we are in 13 january ...
I know that I have to configure propers.config,date_time.xml ect but what is the command to extract the date without space correctly ?

Thanks

Steve

renjith_nair · ‎01-15-2016

If you are trying to extract the date from your event, ie 13Jan2015, you can use

[<spec>]
TIME_PREFIX = \d{3};
TIME_FORMAT = %d%b%Y

where spec can be host,source,sourcetype

Reference : http://docs.splunk.com/Documentation/Splunk/6.1/Data/Configuretimestamprecognition

Happy Splunking!

View solution in original post

renjith_nair · ‎01-15-2016

If you are trying to extract the date from your event, ie 13Jan2015, you can use

[<spec>]
TIME_PREFIX = \d{3};
TIME_FORMAT = %d%b%Y

where spec can be host,source,sourcetype

Reference : http://docs.splunk.com/Documentation/Splunk/6.1/Data/Configuretimestamprecognition

Happy Splunking!

geantvert007 · ‎01-15-2016

Thanks renjith.nair,
I will try this.

On the splunk document they talk about the props.conf but I have use the local or the default props.config to enable the extraction ?

renjith_nair · ‎01-15-2016

For all your configuration, use local. Also please not that you might need to adjust the time prefix regex to match all your events

Happy Splunking!

TimeStamp problem

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!