Archive

props.conf time format configuration

Path Finder

Hi ,

We need to add YYYY to my events through configuration files, how can we achieve this.

can some please give example of doing this.My sample logs looks like below

Here below, as logs doesn't have YYYY, data is not ingesting properly.

44168:M 15 Jul 00:58:45.288 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:58:45.288 - 10 clients connected (1 slaves), 675337520 bytes in use
44168:M 15 Jul 00:58:50.298 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:58:50.298 - 10 clients connected (1 slaves), 675337448 bytes in use
44168:M 15 Jul 00:58:55.307 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:58:55.307 - 10 clients connected (1 slaves), 675374368 bytes in use
44168:M 15 Jul 00:59:00.315 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:00.315 - 10 clients connected (1 slaves), 675337472 bytes in use
44168:M 15 Jul 00:59:05.326 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:05.326 - 10 clients connected (1 slaves), 675411168 bytes in use
44168:M 15 Jul 00:59:10.339 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:10.339 - 10 clients connected (1 slaves), 675374368 bytes in use
44168:M 15 Jul 00:59:15.346 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:15.346 - 10 clients connected (1 slaves), 675337448 bytes in use
44168:M 15 Jul 00:59:20.359 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.
44168:M 15 Jul 00:59:20.359 - 10 clients connected (1 slaves), 675337520 bytes in use
Tags (2)
0 Karma

Esteemed Legend

Try this in props.conf:

[YourSourceTypeHere]
TIME_PREFIX = ^\d+:\w+\s+
TIME_FORMAT = %d %b %H:%M:%S.%3N

If the year is missing, then Splunk will assume "this year" (or "last year" if in January and it sees December stuff), so long as you are not sending in stuff that is months old. Put this on your indexers and restart splunk instances there and then all NEW data will be correct (old data will stay wrong).

0 Karma

Influencer

Specify the time format in props.conf explicitly (without year) and it should work fine. Something like:

[yoursourcetype]
TIME_PREFIX = ^\d+:M
TIME_FORMAT = %d %b %T.%3n

Splunk will assume the current year at the time of indexing in this case I believe.

0 Karma

Esteemed Legend

Why do you think that you need this?

0 Karma

Path Finder

Because, while ingesting data..since my logs does not have Year, Splunk is not ingesting any data except the time frame (00:00:00 to 00:59:59).

Since it does not have year , it is considering Hour as date and we are getting incorrect time 
    sample logs be;low

Time Format as 1:58:50 --- Time it considered as 7/13/15 .But it shoud be as 7/15/2016.

7/13/15 1:58:50.298 PM 44168:M 15 Jul 1:58:50.298 - 10 clients connected (1 slaves), 675337448

7/16/15 4:59:00.315 PM 44168:M 15 Jul 4:59:00.315 - DB 0: 271239 keys (0 volatile) in 524288 slots HT.

0 Karma

SplunkTrust
SplunkTrust

I think an easy way that could then be easily changed in the future would be by using SEDCMD

SEDCMD-year = s/:M/:M 2016/g

0 Karma

Path Finder

I would need to do this in timeFormat in props.conf?

0 Karma

SplunkTrust
SplunkTrust

Yes indeed
And then reload data

0 Karma