Solved: Date Parsing

nickhills · ‎07-02-2012

Hello all,
We have just encountered a problem with date parsing as we have progressed into the new month.

Our log files output a date and time stamp in the following pattern:

02-07-2012 @ 12:15:23.211

This has been fine up until 1st July, wherein splunk is now parsing the above log line, as the 7th Feb, instead of 2nd of the 7th.

I have created a entry in my props.conf file for this sourcetype, and defined the following:

TIME_FORMAT = %d-%m-%Y @ %H:%M:%S.%3N

But this has not resolved the issue, is there something wrong with my Time format, and why would this only just have started (as of 1st July)

If my comment helps, please give it a thumbs up!

Ayn · ‎07-02-2012

You have the percent sign on the wrong side. The percent signs should go before the format, so:

%d-%m-%Y @ %H:%M:%S.%3N

Ayn · ‎07-02-2012

You have the percent sign on the wrong side. The percent signs should go before the format, so:

%d-%m-%Y @ %H:%M:%S.%3N

nickhills · ‎10-16-2012

In the end i solved this by changing the date format in my logs.

Whilst this did not solve my initial problem, Ayn correctly pointed out that my syntax was wrong.

If my comment helps, please give it a thumbs up!

nickhills · ‎07-02-2012

Ayn,

Sorry - thats my mistake when typing the question.
The config in use is as per your correction above, however the parsing is incorrect

If my comment helps, please give it a thumbs up!

Date Parsing