- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
We have just encountered a problem with date parsing as we have progressed into the new month.
Our log files output a date and time stamp in the following pattern:
02-07-2012 @ 12:15:23.211
This has been fine up until 1st July, wherein splunk is now parsing the above log line, as the 7th Feb, instead of 2nd of the 7th.
I have created a entry in my props.conf file for this sourcetype, and defined the following:
TIME_FORMAT = %d-%m-%Y @ %H:%M:%S.%3N
But this has not resolved the issue, is there something wrong with my Time format, and why would this only just have started (as of 1st July)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have the percent sign on the wrong side. The percent signs should go before the format, so:
%d-%m-%Y @ %H:%M:%S.%3N
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have the percent sign on the wrong side. The percent signs should go before the format, so:
%d-%m-%Y @ %H:%M:%S.%3N
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the end i solved this by changing the date format in my logs.
Whilst this did not solve my initial problem, Ayn correctly pointed out that my syntax was wrong.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn,
Sorry - thats my mistake when typing the question.
The config in use is as per your correction above, however the parsing is incorrect
