Solved: Choosing the correct timestamp

echalex · ‎04-11-2012

Hi, I'm having a weird problem with recognizing timestamps. The actual timestamp looks like this:

[2012-04-11 11:24:11+03:00]

However, since the event itself contains the compilation time of the kernel (uname -a), Splunk will identify the date based on that, but will pick up the time from the timestamp. So the time of day changes, but the date is constantly 2012-01-20.

I've tried these settings in props.conf:

[my_sourcetype]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 28

or

[my_sourcetype]
TIME_PREFIX = \[
MAX_TIMESTAMP_LOOKAHEAD = 26

But the result is still the same.

kristian_kolb · ‎04-11-2012

Keep the TIME_PREFIX=^\[
Also set TIME_FORMAT=%Y-%m-%d %H:%M:%S%z

/k

View solution in original post

kristian_kolb · ‎04-11-2012

Keep the TIME_PREFIX=^\[
Also set TIME_FORMAT=%Y-%m-%d %H:%M:%S%z

/k

echalex · ‎04-12-2012

Thanks. I was kind of hoping I could avoid using a regexp, since time formats may change with locales and such. Also, I don't really understand why the MAX_TIMESTAMP_LOOKAHEAD is ignored.

echalex · ‎04-11-2012

Ayn,

[2012-04-11 12:14:01+03:00] Linux hostname.domain.tld 2.6.18-274.18.1.el5 #1 SMP Fri Jan 20 15:11:18 EST 2012 x86_64 x86_64 x86_64 GNU/Linux

The log contains other events as well, but these all get indexed using the correct timestamp.

Ayn · ‎04-11-2012

Paste a sample event, please.

Choosing the correct timestamp

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

Choosing the correct timestamp

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...