Solved: Re: Capturing time from a new data input

DonDandrea · ‎07-10-2014

I am having problems formatting the date/time for a new data source. I have posted an example with six lines. The first three lines are only getting the time captured and the second three lines are working properly. I have tried regex, specified the time format and using a preface. Any help you can give would be greatly appreciated.

Thank you,
Don

-rw-r--r-- 1 t9266 Domain Users 52210 Jun 14 05:38 EAI_CGIRespToADHOC_MF_ReqId_Q565701528.eml
-rw-r--r-- 1 t9266 Domain Users 193537 Jun 14 05:41 EAI_CGIRespToADHOC_MF_ReqId_Q567401787.eml
-rw-r--r-- 1 t9266 Domain Users 184729 Jun 14 05:44 EAI_CGIRespToADHOC_MF_ReqId_Q567802243.eml
-rw-r--r-- 1 t9266 Domain Users 6596 Jun 16 11:07 CHM_retrieveIntmdDtlMDMPrntInqry_MFNA 2239.eml
-rw-r--r-- 1 t9266 Domain Users 6620 Jun 16 14:40 CHM_retrieveIntmdDtlMDMPrntInqry_MFNA 8359.eml
-rw-r--r-- 1 t9266 Domain Users 186290 Jun 16 20:55 EAI_CGIRespToADHOC_MF_ReqId_Q538004157.eml

somesoni2 · ‎07-10-2014

This works for me with sample data.

[YourSourceType]
TIME_FORMAT=%B %d %H:%M
TIME_PREFIX=\w+\s\d+\s
NO_BINARY_CHECK=1

View solution in original post

somesoni2 · ‎07-10-2014

This works for me with sample data.

[YourSourceType]
TIME_FORMAT=%B %d %H:%M
TIME_PREFIX=\w+\s\d+\s
NO_BINARY_CHECK=1

Capturing time from a new data input

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation