Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

12 hour timeformat without AM/PM distinction

jdoll1
Explorer
‎10-31-2018 07:54 AM

I have some data that we're ingesting that has "bad" timestamps. There is no AM/PM distinction, and they are in 12 hour format.

I have my timeformat in my props.conf as:

TIME_FORMAT = %a %b %d %Y %I:%M:%S.%3N

Will this extract the timestamps properly? It seems to in my sample extractions but I can't see how Splunk could know the AM/PM without the fields being there.

example log entries..first one is 11:26pm, second one is 12:13am. Third example is 4:34....no idea if thats AM or PM.

How does the %I know to use AM or PM if there isn't a variable present for that?

<                                  MessageUtil.java:58        > /* Sun Jul 22 2018 11:26:18.312 */  Failed to load resource bundle-BuilderMessages

<                                  MessageUtil.java:58        > /* Mon Jul 23 2018 12:13:12.000 */  Failed to load resource bundle-BuilderMessages

<                                  MessageUtil.java:58        > /* Mon Jul 23 2018 04:34:34.853 */  Failed to load resource bundle-BuilderMessages
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎11-01-2018 07:07 AM

Hi @jdoll1 ,

  • Your time in event is incomplete, if this is 12 hour format then it must have specified AM/PM. You can use %p to extract time with AM/PM as %I cannot extract AM/PM.
  • Or you should consider your time in 24 hour format. In that case you can use %H instead of %I.

Coming to your question in comment, whether it will pick AM/PM if you will not provide that information in event.
So I've tested in Splunk version 7.0.1 and I'm getting same result as you are getting. So my conclusion is when you not provide AM/PM and if hour in the time is 12 then it will consider AM, in all other cases it is considering PM.

Please consider putting complete time in event if source of the event is in your hand.
Hope this helps!!!!!

0 Karma
Reply

jdoll1
Explorer
‎11-01-2018 07:19 AM

Yeah I wish I could include the AM/PM or 24 hour time. These are logs written by a vendor app that we don't have control over. I guess my 'safest' option is to just use the index time as the timestamp and not use the timestamp written in the log.

The odd thing is that Splunk seems to be ingesting the data with the correct times using %I, even though it shouldn't without the AM/PM. I just don't trust it to continue ingesting properly.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎11-02-2018 01:57 AM

If you want to use current time instead of extracting time from event, you can write below configuration into your props.conf file.

[your-sourcetype]
DATETIME_CONFIG = CURRENT

In stanza name instead of sourcetype, you can also specify source or host. Please read more details in props.conf.

0 Karma
Reply

jdoll1
Explorer
‎11-09-2018 06:18 AM

Thanks I'll give that a try.

0 Karma
Reply

jdoll1
Explorer
‎11-01-2018 05:19 AM

I added this to a dev server yesterday morning and for now it seems to be properly indexing the timestamp as AM/PM, but the question remains, how does Splunk determine it?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...