Re: props.conf time format configuration

splunker9999 · ‎07-15-2016

Hi ,

We need to add YYYY to my events through configuration files, how can we achieve this.

can some please give example of doing this.My sample logs looks like below

Here below, as logs doesn't have YYYY, data is not ingesting properly.

44168:M 15 Jul 00:58:45.288 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:58:45.288 - 10 clients connected (1 slaves), 675337520 bytes in use
44168:M 15 Jul 00:58:50.298 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:58:50.298 - 10 clients connected (1 slaves), 675337448 bytes in use
44168:M 15 Jul 00:58:55.307 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:58:55.307 - 10 clients connected (1 slaves), 675374368 bytes in use
44168:M 15 Jul 00:59:00.315 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:00.315 - 10 clients connected (1 slaves), 675337472 bytes in use
44168:M 15 Jul 00:59:05.326 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:05.326 - 10 clients connected (1 slaves), 675411168 bytes in use
44168:M 15 Jul 00:59:10.339 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:10.339 - 10 clients connected (1 slaves), 675374368 bytes in use
44168:M 15 Jul 00:59:15.346 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:15.346 - 10 clients connected (1 slaves), 675337448 bytes in use
44168:M 15 Jul 00:59:20.359 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:20.359 - 10 clients connected (1 slaves), 675337520 bytes in use

woodcock · ‎07-15-2016

Try this in props.conf:

[YourSourceTypeHere]
TIME_PREFIX = ^\d+:\w+\s+
TIME_FORMAT = %d %b %H:%M:%S.%3N

If the year is missing, then Splunk will assume "this year" (or "last year" if in January and it sees December stuff), so long as you are not sending in stuff that is months old. Put this on your indexers and restart splunk instances there and then all NEW data will be correct (old data will stay wrong).

twinspop · ‎07-15-2016

Specify the time format in props.conf explicitly (without year) and it should work fine. Something like:

[yoursourcetype]
TIME_PREFIX = ^\d+:M
TIME_FORMAT = %d %b %T.%3n

Splunk will assume the current year at the time of indexing in this case I believe.

woodcock · ‎07-15-2016

Why do you think that you need this?

splunker9999 · ‎07-15-2016

Because, while ingesting data..since my logs does not have Year, Splunk is not ingesting any data except the time frame (00:00:00 to 00:59:59).

Since it does not have year , it is considering Hour as date and we are getting incorrect time 
    sample logs be;low

Time Format as 1:58:50 --- Time it considered as 7/13/15 .But it shoud be as 7/15/2016.

7/13/15 1:58:50.298 PM 44168:M 15 Jul 1:58:50.298 - 10 clients connected (1 slaves), 675337448

7/16/15 4:59:00.315 PM 44168:M 15 Jul 4:59:00.315 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.

jkat54 · ‎07-15-2016

I think an easy way that could then be easily changed in the future would be by using SEDCMD

SEDCMD-year = s/:M/:M 2016/g

splunker9999 · ‎07-15-2016

I would need to do this in timeFormat in props.conf?

jkat54 · ‎07-15-2016

Yes indeed
And then reload data

props.conf time format configuration

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes