Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Date and Time Extraction from XML

danurag
Explorer
‎03-05-2012 10:55 AM

I would like to update the date and timestamp for an event during indexing.

The data is in the following format:

2012-03-05T18:21:20.533adfafadfsafsdf

The timestamp value is in GMT format and I need to convert it into PDT / PST. Splunk Server runs in PST/PDT.

Would just setting the TIME_FORMAT take care of it or do I need to set the Prefix too?

Tags (1)
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎03-05-2012 11:51 AM

You need to set the prefix as well, since TIME_FORMAT will only look at the beginning of the line, by default:

TIME_PREFIX = <timestamp>
TIME_FORMAT = %Y-%m-%dT%T.%Q
TZ = UTC
Reply

danurag
Explorer
‎03-07-2012 01:27 PM

Thank you Steve. This helped greatly.

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...