Getting Data In

Choosing the correct timestamp

echalex
Builder

Hi, I'm having a weird problem with recognizing timestamps. The actual timestamp looks like this:

[2012-04-11 11:24:11+03:00]

However, since the event itself contains the compilation time of the kernel (uname -a), Splunk will identify the date based on that, but will pick up the time from the timestamp. So the time of day changes, but the date is constantly 2012-01-20.

I've tried these settings in props.conf:

[my_sourcetype]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 28

or

[my_sourcetype]
TIME_PREFIX = \[
MAX_TIMESTAMP_LOOKAHEAD = 26

But the result is still the same.

0 Karma
1 Solution

kristian_kolb
Ultra Champion

Keep the TIME_PREFIX=^\[
Also set TIME_FORMAT=%Y-%m-%d %H:%M:%S%z

/k

View solution in original post

kristian_kolb
Ultra Champion

Keep the TIME_PREFIX=^\[
Also set TIME_FORMAT=%Y-%m-%d %H:%M:%S%z

/k

echalex
Builder

Thanks. I was kind of hoping I could avoid using a regexp, since time formats may change with locales and such. Also, I don't really understand why the MAX_TIMESTAMP_LOOKAHEAD is ignored.

0 Karma

echalex
Builder

Ayn,

[2012-04-11 12:14:01+03:00] Linux hostname.domain.tld 2.6.18-274.18.1.el5 #1 SMP Fri Jan 20 15:11:18 EST 2012 x86_64 x86_64 x86_64 GNU/Linux

The log contains other events as well, but these all get indexed using the correct timestamp.

0 Karma

Ayn
Legend

Paste a sample event, please.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...