Solved: Choosing the correct timestamp

echalex · ‎04-11-2012

Hi, I'm having a weird problem with recognizing timestamps. The actual timestamp looks like this:

[2012-04-11 11:24:11+03:00]

However, since the event itself contains the compilation time of the kernel (uname -a), Splunk will identify the date based on that, but will pick up the time from the timestamp. So the time of day changes, but the date is constantly 2012-01-20.

I've tried these settings in props.conf:

[my_sourcetype]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 28

or

[my_sourcetype]
TIME_PREFIX = \[
MAX_TIMESTAMP_LOOKAHEAD = 26

But the result is still the same.

kristian_kolb · ‎04-11-2012

Keep the TIME_PREFIX=^\[
Also set TIME_FORMAT=%Y-%m-%d %H:%M:%S%z

/k

View solution in original post

kristian_kolb · ‎04-11-2012

Keep the TIME_PREFIX=^\[
Also set TIME_FORMAT=%Y-%m-%d %H:%M:%S%z

/k

echalex · ‎04-12-2012

Thanks. I was kind of hoping I could avoid using a regexp, since time formats may change with locales and such. Also, I don't really understand why the MAX_TIMESTAMP_LOOKAHEAD is ignored.

echalex · ‎04-11-2012

Ayn,

[2012-04-11 12:14:01+03:00] Linux hostname.domain.tld 2.6.18-274.18.1.el5 #1 SMP Fri Jan 20 15:11:18 EST 2012 x86_64 x86_64 x86_64 GNU/Linux

The log contains other events as well, but these all get indexed using the correct timestamp.

Ayn · ‎04-11-2012

Paste a sample event, please.

Choosing the correct timestamp

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation