Re: _time format in props config file

k_harini · ‎08-09-2017

I have time_submitted in this format - 10-08-2017 16:20:40 AEST, so in props file I gave in this format
TIMESTAMP_FIELDS = created_on
TIME_FORMAT = %d-%m-%Y %H:%M:%S %Z

Is this correct? when indexing data it takes index time instead of created_on.. Experts, kindly help

gcusello · ‎08-10-2017

Hi k_harini,
your TIME_FORMAT seems to be correct, anyway the easiest way to test it is to dowload an example of your logs and then use the web interface Add data function (Settings -- Add data -- Add local data] to immediately test your TIME_FORMAT.

Only an additional information: where do you put your props.con containing TIME_FORMAT?
It must be on the Indexer (with the only exceprion of csv files) not on the forwarder.

Bye.
Giuseppe

dshakespeare_sp · ‎08-10-2017

Your TIME_FORMAT looks correct. TIMESTAMP_FIELDS = created_on suggests that this is a csv file is this correct?
It would be useful to see the output from 'splunk cmd btool props list --debug' for the source / source type and a sample of the datafile including the header. The props.conf needs to be placed where the data is parsed (usually Indexer or HWF) or on the UF if you are using INDEXED_EXTRACTIONS = csv

_time format in props config file

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...