Ingest data into indexer which contains hourly dat... - Splunk Community

Splunk Dev

Below is the sample data and the props.conf that I used. When Splunk indexed the data, it only got 12 hours.

6:44:04 AM, Source = GetCookies, xxxxx....
6:44:05 AM, Source = IsFirstTimeUser, xxxxxx....
3:52:49 PM, Source = GetUserDetails - API,xxxxx....
3:52:52 PM, Source = GetCookies, xxxxx.....

And the props.conf that I used to parse the time.

[my_source_type] 
TIME_PREFIX=^ 
TIME_FORMAT=%H:%M:%S %p

Your props.conf is not correct.

TIME_FORMAT has "%H" which is the 24-hour-clock hour. Because %H explicitly defined it is a 24-hour time, the am/pm isn't used.

You need to use "%I:%M:%S" for a 12-hour time.

Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open! conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...